SSH Key Permissions Chmod settings?

  • I need to use SSH on my machine to access my website and its databases (setting up a symbolic link- but I digress).

    Following problem: I enter the command: ssh-keygen -t dsa
    To generate public/private dsa key pair. I save it in the default (/home/user/.ssh/id_dsa): And enter Enter passphrase twice

    then I get this back:

    WARNING: UNPROTECTED PRIVATE KEY FILE!
    Permissions 0755 for '/home/etc.ssh/id_rsa' are too open. It is recommended that your private key files are NOT accessible by others. This private key will be ignored. bad permissions: ignore key: [then the FILE PATH in VAR/LIB/SOMEWHERE]

    Now to work round this I then tried-

    sudo chmod 600 ~/.ssh/id_rsa         sudo chmod 600 ~/.ssh/id_rsa.pub    
    

    But shortly after my computer froze up- and on logging back on there was a could not find .ICEauthority error. I got round this problem- and deleted the SSH files but want to be able to use the correct permissions to avoid these issues in future. How should I set up ICEauthority, or where should I save the SSH Keys- or what permissions should they have? Would using a virtual machine be best?

    This is all very new and I am on a very steep learning curve, so any help appreciated.

    typo- sorry just one set of keys was generated!

    permissions to .ssh dir are equally important as key permissions. It should be 600. To fix it run : `chmod -R 600 ~/.ssh`.

    actually .ssh directory permissions need to be 700 not 600. The execute permission is the one that gives you access to what is inside that directory. So the correct commands should be `chmod 700 $HOME/.ssh` and `chmod 600 $HOME/.ssh/id_rsa`

    The error about .ICEauthority is not related to the `chmod` commands you show. Either it's a coincidence or you ran some other commands that you aren't showing us.

  • chmod 600 ~/.ssh/id_rsa; chmod 600 ~/.ssh/id_rsa.pub (i.e. chmod u=rw,go= ~/.ssh/id_rsa ~/.ssh/id_rsa.pub) are correct.

    chmod 644 ~/.ssh/id_rsa.pub (i.e. chmod a=r,u+w ~/.ssh/id_rsa.pub) would also be correct, but chmod 644 ~/.ssh/id_rsa (i.e. chmod a=r,u+w ~/.ssh/id_rsa) would not be. Your public key can be public, what matters is that your private key is private.

    Also your .ssh directory itself must be writable only by you: chmod 700 ~/.ssh or chmod u=rwx,go= ~/.ssh. You of course need to be able to read it and access files in it (execute permission). It isn't directly harmful if others can read it, but it isn't useful either.

    You don't need sudo. Don't use sudo to manipulate your own files, that can only lead to mistakes.

    The error about .ICEauthority is not related to the chmod commands you show. Either it's a coincidence or you ran some other commands that you aren't showing us.

    What do the permissions on the ~/.ssh/known_hosts need to be?

  •     chmod 600 ~/.ssh/id_rsa
        chmod 600 ~/.ssh/id_rsa.pub
    

    or

        # u: user        r: read
        # g: group       w: write
        # o: others      x: execute
    
        chmod u=rw,go= ~/.ssh/id_rsa ~/.ssh/id_rsa.pub
    

    You could also make your public key readable

        chmod 644 ~/.ssh/id_rsa.pub # chmod a=r,u+w ~/.ssh/id_rsa.pub
    

    but not your private key. So is mandatory to have:

        chmod 600 ~/.ssh/id_rsa # chmod a=r,u+w ~/.ssh/id_rsa
    

    Also your .ssh directory itself must be writable only by you:

        chmod 700 ~/.ssh
    

    or

        chmod u=rwx,go= ~/.ssh
    

    You of course need to be able to read it and access files in it (execute permission):
    it isn't directly harmful if others can read it, but it isn't useful either.

    You don't need sudo. Don't use sudo to manipulate your own files, that can only lead to mistakes.

    The error about .ICEauthority is not related to the chmod commands you show. Either it's a coincidence or you ran some other commands that you aren't showing us.

  • I want to add to the answers above that for me my home directory (~/) also needed to have the permissions 755, regardless of the permissions of ~/.ssh and the files therein. (This was on a Synology NAS, might not apply to all linuxes)

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM