SSH Key Permissions chmod settings

permissionsssh

I need to use SSH on my machine to access my website and its databases (setting up a symbolic link- but I digress).

Following problem

I enter the command:

ssh-keygen -t dsa

To generate public/private dsa key pair. I save it in the default (/home/user/.ssh/id_dsa) and enter Enter passphrase twice.

Then I get this back:

WARNING: UNPROTECTED PRIVATE KEY FILE!  
Permissions 0755 for '/home/etc.ssh/id_rsa' are too open. It is recommended that your private key files are NOT accessible by others. This private key will be ignored. bad permissions: ignore key: [then the FILE PATH in VAR/LIB/SOMEWHERE]

Now to work round this I then tried

sudo chmod 600 ~/.ssh/id_rsa         sudo chmod 600 ~/.ssh/id_rsa.pub

But shortly after my computer froze up, and on logging back on there was a could not find .ICEauthority error.

I got round this problem and deleted the SSH files but want to be able to use the correct permissions to avoid these issues in future.

How should I set up ICEauthority, or where should I save the SSH Keys- or what permissions should they have? Would using a virtual machine be best?

This is all very new and I am on a very steep learning curve, so any help appreciated.

Best Answer

chmod 600 ~/.ssh/id_rsa; chmod 600 ~/.ssh/id_rsa.pub (i.e. chmod u=rw,go= ~/.ssh/id_rsa ~/.ssh/id_rsa.pub) are correct.

chmod 644 ~/.ssh/id_rsa.pub (i.e. chmod a=r,u+w ~/.ssh/id_rsa.pub) would also be correct, but chmod 644 ~/.ssh/id_rsa (i.e. chmod a=r,u+w ~/.ssh/id_rsa) would not be. Your public key can be public, what matters is that your private key is private.

Also your .ssh directory itself must be writable only by you: chmod 700 ~/.ssh or chmod u=rwx,go= ~/.ssh. You of course need to be able to read it and access files in it (execute permission). It isn't directly harmful if others can read it, but it isn't useful either.

You don't need sudo. Don't use sudo to manipulate your own files, that can only lead to mistakes.

The error about .ICEauthority is not related to the chmod commands you show. Either it's a coincidence or you ran some other commands that you aren't showing us.

Related Solutions

SSH and home directory permissions

This is the default behavior for SSH. It protects user keys by enforcing rwx------ on $HOME/.ssh and ensuring only the owner has write permissions to $HOME. If a user other than the respective owner has write permission on the $HOME directory, they could maliciously modify the permissions on $HOME/.ssh, potentially hijacking the user keys, known_hosts, or something similar. In summary, the following permissions on $HOME will be sufficient for SSH to work.

rwx------
rwxr-x---
rwxr-xr-x

SSH will not work correctly and will send warnings to the log facilities if any variation of g+w or o+w exists on the $HOME directory. However, the administrator can override this behavior by defining StrictModes no in the sshd_config (or similar) configuration file, though it should be clear that this is not recommended.

Permissions remain 2700 after `chmod 0700`

Assuming you’re using GNU chmod, this is documented in the manpage:

chmod preserves a directory's set-user-ID and set-group-ID bits unless you explicitly specify otherwise. You can set or clear the bits with symbolic modes like u+s and g-s, and you can set (but not clear) the bits with a numeric mode.

This is allowed in POSIX:

For each bit set in the octal number, the corresponding file permission bit shown in the following table shall be set; all other file permission bits shall be cleared. For regular files, for each bit set in the octal number corresponding to the set-user-ID-on-execution or the set-group-ID-on-execution, bits shown in the following table shall be set; if these bits are not set in the octal number, they are cleared. For other file types, it is implementation-defined whether or not requests to set or clear the set-user-ID-on-execution or set-group-ID-on-execution bits are honored.

The reasoning for the behaviour in GNU chmod is given in the release notes for coreutils 6.0:

chmod, install, and mkdir now preserve a directory's set-user-ID and set-group-ID bits unless you explicitly request otherwise. E.g., chmod 755 DIR and chmod u=rwx,go=rx DIR now preserve DIR's set-user-ID and set-group-ID bits instead of clearing them, and similarly for mkdir -m 755 DIR and mkdir -m u=rwx,go=rx DIR. To clear the bits, mention them explicitly in a symbolic mode, e.g., mkdir -m u=rwx,go=rx,-s DIR. To set them, mention them explicitly in either a symbolic or a numeric mode, e.g., mkdir -m 2755 DIR, mkdir -m u=rwx,go=rx,g+s DIR. This change is for convenience on systems where these bits inherit from parents. Unfortunately other operating systems are not consistent here, and portable scripts cannot assume the bits are set, cleared, or preserved, even when the bits are explicitly mentioned. For example, OpenBSD 3.9 mkdir -m 777 D preserves D's setgid bit but chmod 777 D clears it. Conversely, Solaris 10 mkdir -m 777 D, mkdir -m g-s D, and chmod 0777 D all preserve D's setgid bit, and you must use something like chmod g-s D to clear it.

There’s more on the topic in #8391, including the further rationale that the leading 0 is ambiguous (it could indicate either cleared bits, or an octal value, in the user’s mind). The coreutils manual also has a dedicated section, Directories and the Set-User-ID and Set-Group-ID Bits; this reveals that there are GNU extensions to allow clearing the bits in question:

chmod =700 ~/testdir
chmod 00700 ~/testdir

both clear the bits (but are non-portable).

Following problem

Best Answer

Related Solutions

SSH and home directory permissions

Permissions remain 2700 after `chmod 0700`

Related Question