From owner-freebsd-questions@FreeBSD.ORG  Wed Jun 24 16:49:32 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id EB4EB106564A
	for <freebsd-questions@freebsd.org>;
	Wed, 24 Jun 2009 16:49:32 +0000 (UTC)
	(envelope-from brentb@beanfield.com)
Received: from smtp2.beanfield.net (smtp2.beanfield.net [206.223.173.34])
	by mx1.freebsd.org (Postfix) with ESMTP id B53548FC20
	for <freebsd-questions@freebsd.org>;
	Wed, 24 Jun 2009 16:49:32 +0000 (UTC)
	(envelope-from brentb@beanfield.com)
Received: from brent.local ([66.207.193.249])
	by smtp2.beanfield.net (8.13.4/8.12.11) with ESMTP id n5OGjXqB078779
	for <freebsd-questions@freebsd.org>;
	Wed, 24 Jun 2009 12:45:33 -0400 (EDT)
	(envelope-from brentb@beanfield.com)
Message-ID: <4A425918.4060404@beanfield.com>
Date: Wed, 24 Jun 2009 12:49:28 -0400
From: Brent Bloxam <brentb@beanfield.com>
Organization: Beanfield Technologies
User-Agent: Thunderbird 2.0.0.22 (Macintosh/20090605)
MIME-Version: 1.0
To: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
References: <b6c05a470906230706w5154c697uedb41f2164681a0a@mail.gmail.com>
	<4B45B6F6-007E-4DDC-994F-1369FEAEBA7D@boosten.org>
	<b79ecaef0906230952g4640e660h5faa37450fa092@mail.gmail.com>
In-Reply-To: <b79ecaef0906230952g4640e660h5faa37450fa092@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: ~/.ssh directory permissions
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jun 2009 16:49:33 -0000

Chris Rees wrote:
> 
> Although I think it's not a big deal, as long as your id_?sa has
> permissions 600 like mine, or even 400.
> 
> Chris
> 

The man page for ssh(1) provides a lot of detail about the sensitivity 
of the various files related to ssh. To quote it regarding a few of them:

>      ~/.ssh/
>              This directory is the default location for all user-specific configuration and authentication information.  There is no
>              general requirement to keep the entire contents of this directory secret, but the recommended permissions are
>              read/write/execute for the user, and not accessible by others.

So as you can see, 700 is recommended (but not necessary).

>      ~/.ssh/identity
>      ~/.ssh/id_dsa
>      ~/.ssh/id_rsa
>              Contains the private key for authentication.  These files contain sensitive data and should be readable by the user but not
>              accessible by others (read/write/execute).  ssh will simply ignore a private key file if it is accessible by others.  It is
>              possible to specify a passphrase when generating the key which will be used to encrypt the sensitive part of this file
>              using 3DES.

However, identity, id_dsa and id_rsa _must_ be 700 at a maximum. It's 
best to follow the recommendations from the man page unless you have 
very specific reasons for needing more lax permissions on these files.

Regards,
Brent