Overview

File permissions are crucial when it comes to SSH keys, configs, folders, and other associated files. Since SSH is normally used to securely access remote servers, you can run into issues if you don’t have your keys locked down correctly.

If you’re like me and don’t normally interface with file permissions then it can be easy to forget what the correct permissions for SSH key files are. This post is just as much a reminder for myself in the future as it is a tutorial for newcomers.

TL;DR

If you’re just looking for the correct commands to run on your SSH files & folders but don’t need/want any explanation, here you go:

chmod 700 ~/.ssh
chmod 644 ~/.ssh/authorized_keys
chmod 644 ~/.ssh/known_hosts
chmod 644 ~/.ssh/config
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub

If you want a quick reference for all possible permissions you can use this table:

PermissionsBinaryDecimal
---0000
—x0011
-w-0102
-wx0113
r—1004
r-x1015
rw-1106
rwx1117

Use these numbers in order of the owner, group owner, and everyone else.

${owner}${group}${others}

Explanation

Errors

Trying to access a remote Linux server using SSH keys with the wrong file permissions can result in errors such as:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/home/user/.ssh/id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /home/user/.ssh/id_rsa
Permission denied (publickey,password).

As the warning says, your keys should not be accessible by others. This means that currently your SSH key files can be read or modified by other users, which poses a security risk to the remote server. Until you fix the file permissions, the remote server won’t allow you to access its resources using that key.

Linux File Permissions

Linux file permissions are expressed as 3 digits, where each digit represents the permissions that the file owner, file group owner, and all other users have for that file, in that order.

${owner}${group}${others}

For example, to give read/write permissions to the owner, read permission to the group, and read permission to everyone else:

644

To understand where each number comes from, we have to backtrack a bit. There are 3 types of permissions that a user can have:

  • Read (r)
  • Write (w)
  • Execute (x)

So if we have a file that has read, write and execute permissions for everyone, we could express that like so:

rwx rwx rwx

And if we have a file that only has read and write permissions for everyone, we could express that like this:

rw- rw- rw-

If we have only read/write permissions for the owner, read permission for the group, and no access for anyone else:

rw- r-- ---

Beginning to become clear? Good. So now, for each active permission, we will replace it with a 1, and we’ll replace inactive permissions with a 0.

Following the same examples, read, write, and execute permissions for everyone:

111 111 111

Read/write permissions for everyone:

110 110 110

Read/write permissions for the owner, read permission for the group, and no access for anyone else:

110 100 000

Now the next step is to convert these binary numbers into decimal format. Again, following the same examples we have read, write and execute permissions for everyone:

7 7 7

Read/write permissions for everyone:

6 6 6

Read/write permissions for the owner, read permission for the group, and no access for anyone else:

6 4 0

Hopefully, that makes sense, so to wrap up file permissions here’s a table displaying all possible permission combinations:

PermissionsBinaryDecimal
---0000
—x0011
-w-0102
-wx0113
r—1004
r-x1015
rw-1106
rwx1117

Setting File Permissions

Understanding what Linux file permission codes mean, we can apply them using the chmod (change mode) command. The basic syntax is as follows:

chmod ${mode} ${filePath}

Where ${mode} is a 3-digit file permission number and ${filePath} is the path to the file you want to change the permissions of.

SSH File Permissions

Now that we understand file permissions and how to change them, let’s review the commands from the start of this post.

The following command gives read, write and execute permissions to the owner of the ~/.ssh folder and no permissions to anyone else.

chmod 700 ~/.ssh

The following commands give read/write permissions to the owner of the file and read permissions to everyone else.

chmod 644 ~/.ssh/authorized_keys
chmod 644 ~/.ssh/known_hosts
chmod 644 ~/.ssh/config
chmod 644 ~/.ssh/id_rsa.pub

The following command gives read/write permissions to the owner of the file and no permissions to anyone else.

chmod 600 ~/.ssh/id_rsa

Conclusion

After reading this post, you should have a basic understanding of how file permissions work and how to set the correct file permissions on all of your SSH keys, config files, and folders.