Permissions on private key in .ssh folder?

411

210

I changed my permissions in my .ssh folder and now when I use a piece of software that uses my private key, I have to type my password each time. What should my permissions be on my id_rsa file to not have to type a password each time I use an app that uses it?

Currently my permissions are set to:

-rw-------@ 1 Jody  staff   114 Nov  4 23:29 config
-rw-------  1 Jody  staff  1743 Oct 21  2009 id_rsa
-rw-------@ 1 Jody  staff   397 Oct 21  2009 id_rsa.pub 
-rw-------@ 1 Jody  staff  3855 Sep 13 22:35 known_hosts

Jody G

Posted 2010-11-26T22:04:58.947

Reputation:

Answers

683

Typically you want the permissions to be:

  • .ssh directory: 700 (drwx------)
  • public key (.pub file): 644 (-rw-r--r--)
  • private key (id_rsa): 600 (-rw-------)
  • lastly your home directory should not be writeable by the group or others (at most 755 (drwxr-xr-x)).

I am assuming that you mean that you have to enter your system/user password each time, and that previously you did not have to. cdhowie's response is assuming you set a password/passphrase when generating your keys, and if you did then as he says you will have to enter your password every time unless you use an ssh agent.

tab33

Posted 2010-11-26T22:04:58.947

Reputation:

15I found elsewhere that if using the authorized_keys file, that it should be chmod'd to 640, ie -rw-r----- . – AnneTheAgile – 2014-09-11T21:19:10.687

7Where I can find this info in man pages? – Sonique – 2014-11-17T15:56:40.213

147I have come back to this post about 30 times now. I cant believe I cant remember it. – JREAM – 2015-04-02T21:35:39.333

2You can also safely leave the .ssh directory permissions at 755 (drwxr-xr-x), as well as the id_*.pub and authorized_keys permissions at 644 (-rw-r--r--). Otherwise other users cannot lookup your public keys, but being able to do so is often convenient if they need to know your public keys to grant you access to some service. – Markus Kuhn – 2015-09-30T11:55:15.447

8The only important things are that nothing in .ssh is writeable to anyone else and none of the secret keys are readable to anyone else. – Markus Kuhn – 2015-09-30T11:56:19.113

1

@MarkusKuhn OpenSSH specifies 600 for authorized_keys for some reason (link).

– augurar – 2016-02-18T01:52:13.013

1@augurar My guess: a world-readable authorized_keys file would expose the (public) keys that an attacker could use to gain full access to your account. They'd still need to find one of the private keys, of course. – David Harkness – 2016-06-14T20:08:36.153

1To let others verify your signatures and encrypt files for you, make the public key files (*.pub) world-readable and the .ssh folder world-readable and -executable. Without the latter, other users won't be able to view the public key files. – David Harkness – 2016-06-14T21:02:50.717

3Why 700? Why would you need anything under ~/.ssh to be executable? – Cerin – 2016-10-26T16:39:36.850

1Why, after generated, would private key be writeable (600)? Generate the keys, then lock down the folder, no? – xtian – 2016-11-20T17:49:16.477

2The correct permissions for ~/.ssh/config are 600. – Florian Brucker – 2016-12-02T08:32:43.903

6@Cerin execute permission on a directory grants the ability to list immediate child files/dirs of that directory, files inside the folder don't "inherit" the execute bit of their parent folder. – Thomas – 2017-01-29T08:42:32.260

2At least some versions of OpenSSH require home directory permissions such that only the user can write the home directory. Otherwise, ~/.ssh could be replaced by a link, and an arbitrary authorized_keys file substituted. – Adam Glauser – 2017-08-03T13:12:01.287

1I get Permissions 0644 for '/home/user/.ssh/id_rsa.pub' are too open. on Debian Buster. – Akito – 2019-11-20T20:41:25.787

This answer cannot be correct as the directory is more restrictive than the public key. – Lloyd Dewolf – 2020-01-17T16:09:48.817

93

I was struggling with this forever and finally figured out what is needed. Replace $USER everywhere with the SSH username you want to log into on the server. If you're trying to login as root you would need to use /root/.ssh etc., instead of /home/root/.ssh which is how it is for non-root users.

  • Home directory on the server should not be writable by others: chmod go-w /home/$USER
  • SSH folder on the server needs 700 permissions: chmod 700 /home/$USER/.ssh
  • Authorized_keys file needs 644 permissions: chmod 644 /home/$USER/.ssh/authorized_keys
  • Make sure that user owns the files/folders and not root: chown user:user authorized_keys and chown user:user /home/$USER/.ssh
  • Put the generated public key (from ssh-keygen) in the user's authorized_keys file on the server
  • Make sure that user's home directory is set to what you expect it to be and that it contains the correct .ssh folder that you've been modifying. If not, use usermod -d /home/$USER $USER to fix the issue
  • Finally, restart ssh: service ssh restart
  • Then make sure client has the public key and private key files in the local user's .ssh folder and login: ssh user@host.com

Alex W

Posted 2010-11-26T22:04:58.947

Reputation: 1 286

Regarding your first paragraph, I am able to ssh with public/private keys with a user on my local linux box (e.g. abc), different from the user on the remote server (e.g. def@123.456.789). I just had to make sure the local user owned the local .ssh files (e.g. abc:abc, not root:abc)` – Michael – 2015-12-22T09:41:56.067

1Thanks for putting all the steps and commands for newbies, Alex. Yours is one of the most helpful answers here. – Nav – 2016-03-04T06:06:57.200

6+1. "Authorized_keys file needs 644 permissions" <= that was crucial! – Le Quoc Viet – 2017-06-04T17:46:36.683

If you're giving .ssh directory 700 mode, then there is no point in giving r-- to group and others, because only you can "go through" .ssh then (assuming no hard links exists for these files). The same for accepted answer. Default 755 is enough. – user3125367 – 2017-08-21T09:39:55.833

400 for the pem files are sufficient in my experience. – A T – 2018-11-14T12:24:20.483

37

Also ensure that your home directory is not writeable by other users.

chmod g-w,o-w ~

Felipe Alvarez

Posted 2010-11-26T22:04:58.947

Reputation: 1 666

8FYI, this command assumes you are logged in as the user and not root – Alex W – 2015-06-09T18:40:36.373

6

Permissions shouldn't have anything to do with this. Your private key is encrypted with the password, so you need to enter it for the private key to be decrypted and usable.

You might consider running an ssh agent, which can cache decrypted keys and will supply them to applications that need them.

cdhowie

Posted 2010-11-26T22:04:58.947

Reputation: 368

8Do not underestimate permissions. They definitely still come into play. – Alex W – 2015-05-15T19:49:41.467

@AlexW They do come into play with other aspects of ssh, but not the one asked about in the question. – cdhowie – 2015-05-24T23:43:29.063

2If you have no password on private keys (whink of automated remote called scripts), it won't help you. Permissions are necessary here. – nerdoc – 2016-01-07T23:13:31.033

"I have to type my password each time. What should my permissions be on my id_rsa file to not have to type a password each time I use an app that uses it?" – Craig Hicks – 2018-10-08T03:11:15.330

Thanks for the additional info about the ssh agent. Looks like there is one built into Leopard so I think I'll do that. Having a bit of trouble with it but I'll ask another question. – None – 2010-11-26T22:18:11.650

4

Felipe is correct -- the directory containing your .ssh directory must not be writeable by group or other. Thus chmod go-w ~ is the next logical thing to try if you are still prompted for a password when ssh'ing after running ssh-keygen -t rsa; cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys, assuming you don't assign a passphrase in the ssh-keygen command, and your .ssh directory is in your home directory.

mikentalk

Posted 2010-11-26T22:04:58.947

Reputation: 41