From owner-freebsd-questions@FreeBSD.ORG Wed Jun 24 16:49:32 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EB4EB106564A for ; Wed, 24 Jun 2009 16:49:32 +0000 (UTC) (envelope-from brentb@beanfield.com) Received: from smtp2.beanfield.net (smtp2.beanfield.net [206.223.173.34]) by mx1.freebsd.org (Postfix) with ESMTP id B53548FC20 for ; Wed, 24 Jun 2009 16:49:32 +0000 (UTC) (envelope-from brentb@beanfield.com) Received: from brent.local ([66.207.193.249]) by smtp2.beanfield.net (8.13.4/8.12.11) with ESMTP id n5OGjXqB078779 for ; Wed, 24 Jun 2009 12:45:33 -0400 (EDT) (envelope-from brentb@beanfield.com) Message-ID: <4A425918.4060404@beanfield.com> Date: Wed, 24 Jun 2009 12:49:28 -0400 From: Brent Bloxam Organization: Beanfield Technologies User-Agent: Thunderbird 2.0.0.22 (Macintosh/20090605) MIME-Version: 1.0 To: "freebsd-questions@freebsd.org" References: <4B45B6F6-007E-4DDC-994F-1369FEAEBA7D@boosten.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: ~/.ssh directory permissions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jun 2009 16:49:33 -0000 Chris Rees wrote: > > Although I think it's not a big deal, as long as your id_?sa has > permissions 600 like mine, or even 400. > > Chris > The man page for ssh(1) provides a lot of detail about the sensitivity of the various files related to ssh. To quote it regarding a few of them: > ~/.ssh/ > This directory is the default location for all user-specific configuration and authentication information. There is no > general requirement to keep the entire contents of this directory secret, but the recommended permissions are > read/write/execute for the user, and not accessible by others. So as you can see, 700 is recommended (but not necessary). > ~/.ssh/identity > ~/.ssh/id_dsa > ~/.ssh/id_rsa > Contains the private key for authentication. These files contain sensitive data and should be readable by the user but not > accessible by others (read/write/execute). ssh will simply ignore a private key file if it is accessible by others. It is > possible to specify a passphrase when generating the key which will be used to encrypt the sensitive part of this file > using 3DES. However, identity, id_dsa and id_rsa _must_ be 700 at a maximum. It's best to follow the recommendations from the man page unless you have very specific reasons for needing more lax permissions on these files. Regards, Brent