~/.ssh directory permissions

Brent Bloxam brentb at beanfield.com
Wed Jun 24 16:49:33 UTC 2009

Chris Rees wrote:
> Although I think it's not a big deal, as long as your id_?sa has
> permissions 600 like mine, or even 400.
> Chris

The man page for ssh(1) provides a lot of detail about the sensitivity 
of the various files related to ssh. To quote it regarding a few of them:

>      ~/.ssh/
>              This directory is the default location for all user-specific configuration and authentication information.  There is no
>              general requirement to keep the entire contents of this directory secret, but the recommended permissions are
>              read/write/execute for the user, and not accessible by others.

So as you can see, 700 is recommended (but not necessary).

>      ~/.ssh/identity
>      ~/.ssh/id_dsa
>      ~/.ssh/id_rsa
>              Contains the private key for authentication.  These files contain sensitive data and should be readable by the user but not
>              accessible by others (read/write/execute).  ssh will simply ignore a private key file if it is accessible by others.  It is
>              possible to specify a passphrase when generating the key which will be used to encrypt the sensitive part of this file
>              using 3DES.

However, identity, id_dsa and id_rsa _must_ be 700 at a maximum. It's 
best to follow the recommendations from the man page unless you have 
very specific reasons for needing more lax permissions on these files.


More information about the freebsd-questions mailing list