Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Correct file permissions for ssh keys and config.
ssh-keygen -t rsa -b 4096 -N '' -C "rthijssen@gmail.com" -f ~/.ssh/id_rsa
ssh-keygen -t rsa -b 4096 -N '' -C "rthijssen@gmail.com" -f ~/.ssh/github_rsa
ssh-keygen -t rsa -b 4096 -N '' -C "rthijssen@gmail.com" -f ~/.ssh/mozilla_rsa
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_rsa
ssh-add ~/.ssh/github_rsa
ssh-add ~/.ssh/mozilla_rsa
chmod 700 ~/.ssh
chmod 644 ~/.ssh/authorized_keys
chmod 644 ~/.ssh/known_hosts
chmod 644 ~/.ssh/config
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 600 ~/.ssh/github_rsa
chmod 644 ~/.ssh/github_rsa.pub
chmod 600 ~/.ssh/mozilla_rsa
chmod 644 ~/.ssh/mozilla_rsa.pub
@saurabh-vijayvargiya

This comment has been minimized.

Copy link

@saurabh-vijayvargiya saurabh-vijayvargiya commented Jun 11, 2018

Thanks man, it helped

@Alexandrsv

This comment has been minimized.

Copy link

@Alexandrsv Alexandrsv commented Jul 9, 2018

Thank

@Emilio66

This comment has been minimized.

Copy link

@Emilio66 Emilio66 commented Jul 13, 2018

is that ok to have: chmod 644 ~/.ssh/id_rsa? (private key)

@nre-ableton

This comment has been minimized.

Copy link

@nre-ableton nre-ableton commented Jul 27, 2018

@Emilio66 no, otherwise ssh will complain that the permissions are too open.

@madebycollins

This comment has been minimized.

Copy link

@madebycollins madebycollins commented Nov 8, 2018

Thank you so much for this! 🥇

@lkeneston

This comment has been minimized.

Copy link

@lkeneston lkeneston commented Nov 14, 2018

Thanks!

@lipeRomani

This comment has been minimized.

Copy link

@lipeRomani lipeRomani commented Nov 20, 2018

Thanks!

@hforbess

This comment has been minimized.

Copy link

@hforbess hforbess commented Dec 5, 2018

This is very handy. Thanks!

@stephenwoosley

This comment has been minimized.

Copy link

@stephenwoosley stephenwoosley commented Mar 12, 2019

Thank you for this!

@leydson-vieira

This comment has been minimized.

Copy link

@leydson-vieira leydson-vieira commented Apr 12, 2019

Thank you! I aways forget the permissions...

@kebertxela

This comment has been minimized.

Copy link

@kebertxela kebertxela commented Apr 21, 2019

Thanks for sharing. I used these and quickly resolved an issue :)

@cwyn

This comment has been minimized.

Copy link

@cwyn cwyn commented Apr 29, 2019

Should chmod 644 ~/.ssh/authorized_keys be chmod 600?

@waynevanson

This comment has been minimized.

Copy link

@waynevanson waynevanson commented May 2, 2019

Exactly what I was looking for, thank you!

@apotek

This comment has been minimized.

Copy link

@apotek apotek commented May 2, 2019

Something that has always mystified me...

If ~/.ssh is set to 700 (only file owner can "read,write,execute(open)" the directory, then it seems setting 644 (owner can read/write, group and world can read) is pointless since the world and the group can't even get into the directory where the file is stored. Yet, 700 on the .ssh directory and 644 on authorized_keys is a common recommendation. It just doesn't make sense to me.

So... I was about to follow suit here, and then remembered that there is always man ssh, and the man file says this:

~/.ssh/
        This directory is the default location for all user-specific con-
        figuration and authentication information.  There is no general
        requirement to keep the entire contents of this directory secret,
        but the recommended permissions are read/write/execute for the
        user, and not accessible by others.


 ~/.ssh/authorized_keys
        Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used
        for logging in as this user.  The format of this file is
        described in the sshd(8) manual page.  This file is not highly
        sensitive, but the recommended permissions are read/write for the
        user, and not accessible by others.


~/.ssh/id_dsa
 ~/.ssh/id_ecdsa
 ~/.ssh/id_ed25519
 ~/.ssh/id_rsa
        Contains the private key for authentication.  These files contain
        sensitive data and should be readable by the user but not acces-
        sible by others (read/write/execute).  ssh will simply ignore a
        private key file if it is accessible by others.  It is possible
        to specify a passphrase when generating the key which will be
        used to encrypt the sensitive part of this file using AES-128.

~/.ssh/id_dsa.pub
~/.ssh/id_ecdsa.pub
~/.ssh/id_ed25519.pub
~/.ssh/id_rsa.pub
        Contains the public key for authentication.  These files are not
        sensitive and can (but need not) be readable by anyone.

Based on this excerpt, it is required that the .ssh directory be 700 and the private key files be 600, but it is easier to remember, and will be fully functional, to be utterly restrictive and use 700 on the .ssh directory and 600 on ALL the files.

Thus:

 $ chmod 700 .ssh
 $ cd .ssh
 $ chmod 600 *

Should be all you need.

@cseder

This comment has been minimized.

Copy link

@cseder cseder commented Jun 18, 2019

Thus:

 $ chmod 700 .ssh
 $ cd .ssh
 $ chmod 600 *

Should be all you need.

Well, while this is probably a valid configuration for your user, you'll soon run into problems if your public-key files are not readable by applications and processes that possibly / often run in a different user context e.g. as a different "user" internally in the OS and needs to access your public keys for things like signing and / or verifying files using ssh.

The original gist has the most common and flexible enough permission setup, and is the way most systems, programmers and software expect the permissions to be set.

@shubhamwagh

This comment has been minimized.

Copy link

@shubhamwagh shubhamwagh commented Jul 23, 2019

This certainly helped @grenade. Thanks!

@Soren-365

This comment has been minimized.

Copy link

@Soren-365 Soren-365 commented Aug 17, 2019

thanks. saved me before the holiday ;-)

@abarke

This comment has been minimized.

Copy link

@abarke abarke commented Oct 25, 2019

Got the gist of it 👍

@lirundong

This comment has been minimized.

Copy link

@lirundong lirundong commented Oct 31, 2019

Bravo, nice gist!

@likueimo

This comment has been minimized.

Copy link

@likueimo likueimo commented Nov 6, 2019

I think maybe add this
chmod 700 /home/$USER

I met a lot of users, type command like this
chmod -R 777 /home/$USER

@eriktdesign

This comment has been minimized.

Copy link

@eriktdesign eriktdesign commented Nov 22, 2019

Thanks, this helped!

@wittrup

This comment has been minimized.

Copy link

@wittrup wittrup commented Dec 2, 2019

Surely you must have meant? 😉

chmod 700 ~/.ssh
chmod 600 ~/.ssh/*
chmod 644 -f ~/.ssh/*.pub ~/.ssh/authorized_keys ~/.ssh/known_hosts
@alexw24

This comment has been minimized.

Copy link

@alexw24 alexw24 commented Jan 3, 2020

thanks

@hcch0912

This comment has been minimized.

Copy link

@hcch0912 hcch0912 commented Feb 4, 2020

Thank you ,this helps me!

@mhshakouri

This comment has been minimized.

Copy link

@mhshakouri mhshakouri commented Mar 5, 2020

A great time saver on every new env setup I have

@Howaids

This comment has been minimized.

Copy link

@Howaids Howaids commented Apr 5, 2020

OMG after a weekend trying to work this out, you're a lifesaver @grenade!! I was holding my breath but hey, flawless code. Cheers!

@louwers

This comment has been minimized.

Copy link

@louwers louwers commented Apr 23, 2020

Don't forget the home directory!

@ZerooCool

This comment has been minimized.

Copy link

@ZerooCool ZerooCool commented May 5, 2020

755 for the home directory /home/USER ? Y or N ?

For .SSH Folder :

cd ~/
sudo chmod -R 700 .ssh/
sudo chown -R user:user .ssh/

For .SSH Files

cd ~/.ssh/
sudo find . -type f -exec chmod 644 {} ;
sudo chmod -R 600 *.priv
sudo chmod -R 600 *.config

@ajorpheus

This comment has been minimized.

Copy link

@ajorpheus ajorpheus commented Jun 11, 2020

chmod 644 ~/.ssh/config seems to be incorrect according to http://linuxcommand.org/lc3_man_pages/ssh1.html which says:

Because of the potential for abuse,
this file must have strict
permissions: read/write for the
user, and not accessible by others.

That should be chmod 600 ~/.ssh/config instead

@JRRS1982

This comment has been minimized.

Copy link

@JRRS1982 JRRS1982 commented Jul 9, 2020

Thanks!

@arthurpasquali

This comment has been minimized.

Copy link

@arthurpasquali arthurpasquali commented Jul 9, 2020

Thanks a lot

@infinito84

This comment has been minimized.

Copy link

@infinito84 infinito84 commented Aug 5, 2020

Thanks :)

@likueimo

This comment has been minimized.

Copy link

@likueimo likueimo commented Aug 6, 2020

cosider to add this

chmod g-w,o-w /home/$USER
or 
chmod g-w,o-w ~/
@Nicacioneto

This comment has been minimized.

Copy link

@Nicacioneto Nicacioneto commented Aug 31, 2020

This is a great trick, always going back here to remember and to fix ssh permissions;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.