Documentation error: wrong permissions given in FAQ

Joe Carroll joe.carroll at sihti.fi
Wed Aug 7 19:22:47 EST 2013


Hi,

I looked into this some more just now and realised my own error: the
reason 0644 worked for me but 0600 didn't was because the owner of the
file was root. I can confirm that 0600 works as you've said if the owner
is the same as the user (but this causes problems for multiple users
accessing the same SFTP jail). Despite this, Ubuntu's official wiki
recommends 0644: 
https://help.ubuntu.com/community/SSH/OpenSSH/Keys#Troubleshooting

I need multiple chrooted users to use the same authorized_keys file so I
was able to get it working as desired by changing the group and using 0640
permissions, i.e. from

	-rw------- 1 root root 412 Aug 6 16:17
/var/chroot/home/.ssh/authorized_keys

to

	-rw-r----- 1 root jailedsftp 412 Aug 6 16:17
/var/chroot/home/.ssh/authorized_keys


Anyway, thanks for your response and sorry for bothering you with my
mistaken claims :-)

BR,
Joe


On 07/08/2013 11:55, "Damien Miller" <djm at mindrot.org> wrote:

>On Wed, 7 Aug 2013, Joe Carroll wrote:
>
>> Hi,
>>
>> I discovered yesterday that the instructions given at
>> http://www.openssh.org/faq.html#3.14 regarding the correct permissions
>> for the authorized_keys file mistakenly recommend chmod'ing the
>> file to 600 when it should be 644. The requirement for public key
>> authentication to work is in fact that ~/.ssh/authorized_keys is
>> readable (but not writable) by group and other, not just owner.
>> Someone should probably update the project's official FAQ accordingly
>> to avoid future confusion. Unfortunately, I did not realise the error
>> in this documentation before it caused me a great deal of frustration
>> configuring chrooted key-only access to our server (Ubuntu 12.04 LTS).
>
>Mode 0600 works fine for authorized keys and, while ssh will still
>accept this file with slightly looser permissions, it's best to keep
>them as tight as possible unless there is a good reason otherwise.
>
>-d
>




More information about the openssh-unix-dev mailing list