Date: Wed, 24 Jun 2009 12:49:28 -0400 From: Brent Bloxam <brentb@beanfield.com> To: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: ~/.ssh directory permissions Message-ID: <4A425918.4060404@beanfield.com> In-Reply-To: <b79ecaef0906230952g4640e660h5faa37450fa092@mail.gmail.com> References: <b6c05a470906230706w5154c697uedb41f2164681a0a@mail.gmail.com> <4B45B6F6-007E-4DDC-994F-1369FEAEBA7D@boosten.org> <b79ecaef0906230952g4640e660h5faa37450fa092@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Chris Rees wrote: > > Although I think it's not a big deal, as long as your id_?sa has > permissions 600 like mine, or even 400. > > Chris > The man page for ssh(1) provides a lot of detail about the sensitivity of the various files related to ssh. To quote it regarding a few of them: > ~/.ssh/ > This directory is the default location for all user-specific configuration and authentication information. There is no > general requirement to keep the entire contents of this directory secret, but the recommended permissions are > read/write/execute for the user, and not accessible by others. So as you can see, 700 is recommended (but not necessary). > ~/.ssh/identity > ~/.ssh/id_dsa > ~/.ssh/id_rsa > Contains the private key for authentication. These files contain sensitive data and should be readable by the user but not > accessible by others (read/write/execute). ssh will simply ignore a private key file if it is accessible by others. It is > possible to specify a passphrase when generating the key which will be used to encrypt the sensitive part of this file > using 3DES. However, identity, id_dsa and id_rsa _must_ be 700 at a maximum. It's best to follow the recommendations from the man page unless you have very specific reasons for needing more lax permissions on these files. Regards, Brent
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A425918.4060404>