Hi, I discovered yesterday that the instructions given at http://www.openssh.org/faq.html#3.14 regarding the correct permissions for the authorized_keys file mistakenly recommend chmod'ing the file to 600 when it should be 644. The requirement for public key authentication to work is in fact that ~/.ssh/authorized_keys is readable (but not writable) by group and other, not just owner. Someone should probably update the project's official FAQ accordingly to avoid future confusion. Unfortunately, I did not realise the error in this documentation before it caused me a great deal of frustration configuring chrooted key-only access to our server (Ubuntu 12.04 LTS). Yst?v?llisin terveisin / Best regards, Joe Carroll IT-p??llikk? / IT Manager joe at sihti.fi<mailto:joe at sihti.fi> +358 50 444 4466 fi.linkedin.com/in/thejoecarroll<http://fi.linkedin.com/in/thejoecarroll> Rekrytointipalvelu Sihti Oy Tampellan esplanadi 2, 2. krs 33100 TAMPERE www.sihti.fi<https://www.sihti.fi/> p. 010 320 6500 Fax 010 320 6508 - Jos haluat osua, ota Sihti! -
On Wed, 7 Aug 2013, Joe Carroll wrote:> Hi, > > I discovered yesterday that the instructions given at > http://www.openssh.org/faq.html#3.14 regarding the correct permissions > for the authorized_keys file mistakenly recommend chmod'ing the > file to 600 when it should be 644. The requirement for public key > authentication to work is in fact that ~/.ssh/authorized_keys is > readable (but not writable) by group and other, not just owner. > Someone should probably update the project's official FAQ accordingly > to avoid future confusion. Unfortunately, I did not realise the error > in this documentation before it caused me a great deal of frustration > configuring chrooted key-only access to our server (Ubuntu 12.04 LTS).Mode 0600 works fine for authorized keys and, while ssh will still accept this file with slightly looser permissions, it's best to keep them as tight as possible unless there is a good reason otherwise. -d
Hi, I looked into this some more just now and realised my own error: the reason 0644 worked for me but 0600 didn't was because the owner of the file was root. I can confirm that 0600 works as you've said if the owner is the same as the user (but this causes problems for multiple users accessing the same SFTP jail). Despite this, Ubuntu's official wiki recommends 0644: https://help.ubuntu.com/community/SSH/OpenSSH/Keys#Troubleshooting I need multiple chrooted users to use the same authorized_keys file so I was able to get it working as desired by changing the group and using 0640 permissions, i.e. from -rw------- 1 root root 412 Aug 6 16:17 /var/chroot/home/.ssh/authorized_keys to -rw-r----- 1 root jailedsftp 412 Aug 6 16:17 /var/chroot/home/.ssh/authorized_keys Anyway, thanks for your response and sorry for bothering you with my mistaken claims :-) BR, Joe On 07/08/2013 11:55, "Damien Miller" <djm at mindrot.org> wrote:>On Wed, 7 Aug 2013, Joe Carroll wrote: > >> Hi, >> >> I discovered yesterday that the instructions given at >> http://www.openssh.org/faq.html#3.14 regarding the correct permissions >> for the authorized_keys file mistakenly recommend chmod'ing the >> file to 600 when it should be 644. The requirement for public key >> authentication to work is in fact that ~/.ssh/authorized_keys is >> readable (but not writable) by group and other, not just owner. >> Someone should probably update the project's official FAQ accordingly >> to avoid future confusion. Unfortunately, I did not realise the error >> in this documentation before it caused me a great deal of frustration >> configuring chrooted key-only access to our server (Ubuntu 12.04 LTS). > >Mode 0600 works fine for authorized keys and, while ssh will still >accept this file with slightly looser permissions, it's best to keep >them as tight as possible unless there is a good reason otherwise. > >-d >
Nico Kadel-Garcia
2013-Aug-07 13:14 UTC
Documentation error: wrong permissions given in FAQ
I'd frankly urge 0600 as a best practice. No one else needs casual read access to those public keys, especially when most such keys contain local usernames and hostnames in the "comments" segment. Nico Kadel-Garcia Email: nkadel at gmail.com Sent from iPhone On Aug 7, 2013, at 2:16, Joe Carroll <joe.carroll at sihti.fi> wrote:> Hi, > > I discovered yesterday that the instructions given at http://www.openssh.org/faq.html#3.14 regarding the correct permissions for the authorized_keys file mistakenly recommend chmod'ing the file to 600 when it should be 644. The requirement for public key authentication to work is in fact that ~/.ssh/authorized_keys is readable (but not writable) by group and other, not just owner. Someone should probably update the project's official FAQ accordingly to avoid future confusion. Unfortunately, I did not realise the error in this documentation before it caused me a great deal of frustration configuring chrooted key-only access to our server (Ubuntu 12.04 LTS). > > Yst?v?llisin terveisin / Best regards, > Joe Carroll > IT-p??llikk? / IT Manager > joe at sihti.fi<mailto:joe at sihti.fi> > +358 50 444 4466 > fi.linkedin.com/in/thejoecarroll<http://fi.linkedin.com/in/thejoecarroll> > > Rekrytointipalvelu Sihti Oy > Tampellan esplanadi 2, 2. krs > 33100 TAMPERE > www.sihti.fi<https://www.sihti.fi/> > p. 010 320 6500 > Fax 010 320 6508 > > - Jos haluat osua, ota Sihti! - > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev