SSH and home directory permissions

permissionsssh

It took me hours to solve this SSH problem with one of my class accounts on my school's servers.

I couldn't ssh into one particular class account without entering my password, while passwordless authentication worked with my other class accounts. The .ssh/ directory and all of its contents had the same, correct permissions as the other class accounts.

Turns out the problem was the permissions set on my own home directory. Passwordless authentication did not work when the permissions on my HOME directory were set to 770 (regardless of the permissions set for .ssh/), but it worked with permissions set to 755 or 700.

Anyone know why SSH does this? Is it because the home directory permissions are too permissive? Why does SSH refuse to authenticate with the public/private keys when the home directory is set more permissive than 700?

Best Answer

This is the default behavior for SSH. It protects user keys by enforcing rwx------ on $HOME/.ssh and ensuring only the owner has write permissions to $HOME. If a user other than the respective owner has write permission on the $HOME directory, they could maliciously modify the permissions on $HOME/.ssh, potentially hijacking the user keys, known_hosts, or something similar. In summary, the following permissions on $HOME will be sufficient for SSH to work.

  • rwx------
  • rwxr-x---
  • rwxr-xr-x

SSH will not work correctly and will send warnings to the log facilities if any variation of g+w or o+w exists on the $HOME directory. However, the administrator can override this behavior by defining StrictModes no in the sshd_config (or similar) configuration file, though it should be clear that this is not recommended.

Related Question