In order to set ssh key permissions in linux, we first need to know the correct permissions to assign. Without secure permissions your system will be open to attacks. So, let’s first see the different permissions for different entities –
-
home– It should not be writable by group and others. The maximum permission could be 755. That is, drwx r-x r-x. -
.ssh– To keep this directory secure, you need to keep it inaccessible to groups and others. It should be writable by root user only. So, the appropriate permission is 700 i.e. drwx — —. - private key (
id_rsa,id_dsa) – Should not be accessible to groups and others. Only readable and writable by root user. Permission on private key should be 600 i.e. -rw- — —. - public key (
.pub) – Public key could be read by all users but should not be writable. Only root user should be allowed to write. Appropriate permission is 644 i.e. -rw- r– r–. -
~/.ssh/authorized_keys– This file is responsible to hold all the public keys allowed to access the user account. The permission for this file should be 600 i.e. -rw- — —. -
~/.ssh/config– This is the configuration file of ssh which defines properties like password authentication, gssapi authentication etc. You need to keep it secure. So strictly it should be 600.
Setting home permission
First check the permissions on your user directory using this command –
la -ld ~
It will display the output like this –
drwxr-xr-x 8 akash akash 4096 Sep 24 00:12 /home/akash
If the permissions are different from drwxr-xr-x then update using chmod command –
chmod 0755 ~
Setting .ssh permission
The .ssh directory holds various files which are required for login. We need to have 700 permission on this directory.
Check the current permissions on this directory –
ls -ld ~/.ssh
The output should show the 700 permissions like this –
drwx------ 2 akamit akamit 4096 Sep 24 00:12 /home/akamit/.ssh
If it’s not the same, then update permission –
chmod 0700 ~/.ssh
Setting Private Key Permission
Private key, which is generally represented by id_rsa needs to be very secure because this key is not transferred to anywhere. Unlike public key which can be used by multiple applications, a private key is only used by server for authentication.
The appropriate permission for private key file is 600.
Check the private key permission –
ls -ld ~/.ssh/id_rsa
If it’s not -rw- — — then you need to immediately set it 600 because otherwise groups or others may read it.
chmod 0600 ~/.ssh/id_rsa
Setting Public Key Permission
Public key (*.pub) files could be shared among applications as it is required to login on server. But alone it can’t help without corresponding private key. That’s why we keep the private key secure and let applications use public key.
The appropriate permission for public key is 644 i.e. -rw- r– r–.
Set it using this command –
chmod 0644 ~/.ssh/id_rsa.pub
Setting authorized_keys Permission
authorized_keys file holds the list of public keys which are allowed to login to the user account. There is not much issue if some application access this file. But it’s always better to have closed permissions. So keep it 600 i.e. -rw- — —.
To check the permission of authorized_keys file –
ls -ld ~/.ssh/authorized_keys
To change permissions –
chmod 0600 ~/.ssh/authorized_keys
Setting Config file Permission
You can locate the config file at ~/.ssh/config. This file holds the configuration parameters of ssh which are very sensitive. You need to have close permissions on this file. So strictly keep it 600.
chmod 0600 ~/.ssh/config
Conclusion
Setting ssh keys permission is essential because a wrong permission can open your system to unauthorized access. Not only keys, we need to secure multiple directories too. In this article we saw the appropriate permissions to assign to keys and their holding directories.
