.ssh directory permissions – everything you need to know

SSH (secure shell) is one of the most popular open-source network protocol. It is supported by virtually all major platforms and usually be used to authenticate to remote servers. SSH can also be used to transfer files back and forth between computers over the network, using either scp or rsync.

.ssh is the directory that holds important information about your ssh authentication key. The content of .ssh directory can include one or all of the following files : identity, identity.pub, id_dsa, id_dsa.pub, authorized_keys, known_hosts, config.

In this article, we will show you everything you need to know about the correct permission settings for .ssh directory across popular platforms.

.ssh permissions on Linux

chmod is the command that sets permission on each file and directory in Linux.

Ideally, here’s a summary of the permissions of .ssh directory you want to set:

• .ssh directory: 700 (drwx------)
• public key (.pub file): 644 (-rw-r--r--)
• private key (id_rsa): 600 (-rw-------)
• home directory should be writeable by only you (at most 755 (drwxr-xr-x)).
• First, you need to set .ssh directory to 700 (drwx------) using the following command : chmod 700 /home/$USER/.ssh
• Then, chmod 644 for authorized_keys so that it can only be write/modify by the owner, read-only for others (group) using the following command : chmod 644 /home/$USER/.ssh/authorized_keys</li><li>You will also have to make sure that the current user is actually the owner of files and folders, not the <code>root</code> user. You can do that by running the following commands : <code>chown user:user authorized_keys</code> and chown user:user /home/$USER/.ssh
• Only allow the id_rsa keys to be read-writable only by you by setting its permissions to 600 : chmod 600 ~/.ssh/id_rsa. This file contain sensitive data and should be readable by the user but not accessible by others (read/write/execute). ssh will simply ignore a private key file if it is accessible by others.

Remember to replace $USER in the commands with the SSH username you want to log into on the server.

If you’re trying to login as root you would need to use /root/.ssh instead of /home/root/.ssh, the latter is the directory for non-root users.

You don’t need sudo. Don’t use sudo to manipulate your own files, that can only lead to mistakes.

.ssh permissions for authorized_keys

The SSH authorized_keys contains a list of public keys that are authorized to log in to the server. This file is used to prevent unauthorized users from connecting to the SSH server.

Like we’ve mentioned earlier, authorized_keys is not highly sensitive, so the recommended permissions are **read/write for the user and not accessible by others. In other words, in Linux, authorized_keys file should have 644 permissions and be owned by the user.

If you’re managing a server, access its terminal using SSH protocol and run the following command : chmod 644 /home/$USER/.ssh/authorized_keys. Replace $USER in the command with the current username you’re logged into.

.ssh permissions on Windows

Windows offers two sets of permissions to restrict access to files and folders: NTFS permissions and share permissions. When we refer to permission of .ssh folder on Windows, it’s NTFS permission. By default, permissions are inherited from a root folder to the files and subfolders inside it.

It is recommended that we allow youself (obviously), SYSTEM and Administrators access to .ssh folder. You yourself would have read/write access, while other users can only read the files inside .ssh folder.

Normally, .ssh folder is located under the C:users<username> folder on Windows. Follow the steps demonstrated below to set its permissions.

• Browse to C:users<username>.ssh using Windows Explorer.
• Right click on id_rsa and select Properties.
• In id_rsa Properties window, switch to Security tab.
• In Group or user names section, you should see only SYSTEM, Administrators and the current user. If there are more users, you should select Advanced and remove them.
• Select the current user and click Edit. Uncheck all the boxes in Allow column, except Read and Write.
• Repeat the step above for SYSTEM and Administrators group.
• Click OK on all the the dialog boxes to apply the permission changes.

We hope that the information above helped you learn a bit more about how to properly set permissions for .ssh directory in Linux and Windows. You may want to check out our tutorials related to SSH such as How to save SSH password in VSCode, How to increase font size of PuTTY’s terminal and How to decrease font size of PuTTY’s terminal.

If you spot an error in the article, please kindly correct us using the comment section below.