NashTech Blog

Get in touch

Understanding and Fixing Bad Permissions for the User and SSH Directory

Picture of somyanegi321
somyanegi321
Table of Contents
feature

Permissions for user directories and SSH keys are crucial for system security, especially on Linux-based servers where SSH (Secure Shell) is the primary way to connect remotely. Improper permissions in the user’s home or .ssh directory can expose your system to unauthorized access, making it vulnerable to security breaches. This blog will walk you through understanding directory permissions, identifying bad permissions for user and SSH directories, and the steps to fix them to ensure a secure SSH connection.

1. Understanding Directory and File Permissions in Linux

In Linux, file and directory permissions are managed through a system of three categories: user (owner), group, and others. Each category has three possible permissions:

  • Read (r): Allows viewing the contents.
  • Write (w): Allows modifying the contents.
  • Execute (x): Allows executing files or accessing directories.

Permissions are often represented numerically:

  • rwx = 7
  • rw- = 6
  • r-- = 4

For instance, a file with 755 permissions means:

  • The owner has read, write, and execute permissions.
  • The group has read and execute permissions.
  • Others have read and execute permissions.

Correctly setting these permissions is essential, especially for sensitive files in the SSH directory.

2. Common Issues with Bad SSH Directory Permissions

The .ssh directory in a user’s home folder stores SSH keys and configuration files like authorized_keys, id_rsa (private key), id_rsa.pub (public key), and known_hosts. These files must have restricted permissions to prevent unauthorized access.

Bad permissions in .ssh can lead to:

  • Unauthorized access: Loose permissions on SSH keys can allow others to read sensitive files, such as the private key, enabling unauthorized SSH access.
  • Connection errors: If permissions are too restrictive, SSH may refuse to connect, as it interprets restrictive settings as a potential security risk.

3. Checking for Bad Permissions in the SSH Directory

To check permissions, navigate to the user’s home directory and list permissions for the .ssh directory and its contents:

cd ~ 
ls -ld .ssh
ls -l .ssh

Here’s what to look for:

  • The .ssh directory should have 700 permissions (drwx------).
  • The authorized_keys and public key files (e.g., id_rsa.pub) should have 644 permissions (rw-r--r--).
  • The private key file (e.g., id_rsa) should have 600 permissions (rw-------).

If you see permissions that are too open (e.g., 777 or 755 for .ssh) or too restrictive (e.g., 400 for id_rsa), they need adjustment.

4. How to Fix Bad Permissions for User and SSH Directories

Here’s a step-by-step guide to setting secure permissions for your SSH directory and files.

Step 1: Set Correct Permissions on the Home Directory

Ensure the user’s home directory has permissions that allow access only to the user and trusted groups.

chmod 750 ~

Step 2: Secure the .ssh Directory

Set the .ssh directory permissions to 700 to ensure that only the user can access it:

chmod 700 ~/.ssh

Step 3: Set Permissions for SSH Keys and Configuration Files

  1. Private Key (id_rsa): The private key should have 600 permissions, meaning only the owner can read and write:
  2. Public Key (id_rsa.pub): The public key can be more open, with 644 permissions:
  3. Authorized Keys (authorized_keys): This file lists the public keys that are allowed to connect to the system. It should also have 600 or 644 permissions:
  4. Other SSH Files: Any additional files in .ssh, like config or known_hosts, should also be limited to 600 permissions:

Step 4: Verify Ownership

Ensure that all files in .ssh are owned by the user to prevent access by other users or services:

chown -R $(whoami):$(whoami) ~/.ssh

5. Testing SSH Access After Setting Permissions

After setting correct permissions, it’s important to test the SSH connection to confirm that SSH works as expected.

To test:

  1. Open a new terminal session.
  2. Run the SSH command to connect:
  3. If permissions are set correctly, you should be able to connect without errors. If not, double-check the permissions and ownership of .ssh and its contents.

6. Additional Tips for Securing SSH Access

  • Disable Root SSH Login: Editing the SSH configuration file (/etc/ssh/sshd_config) to disable root login adds an extra layer of security:
  • Use Strong Authentication Methods: Consider using SSH key-based authentication instead of passwords for better security.
  • Regularly Audit Permissions: As part of routine maintenance, verify that no new files or permissions have been altered.
  • Enable SSH Key Expiration: For temporary users or services, set up keys that expire automatically or use configuration management tools to rotate them.

  To correct permissions, run the following commands on your EC2 instance.

sudo chown root:root /home
sudo chmod 755 /home
sudo chown ec2-user:ec2-user /home/ec2-user -R
sudo chmod 700 /home/ec2-user /home/ec2-user/.ssh
sudo chmod 600 /home/ec2-user/.ssh/authorized_keys

Conclusion

Correct permissions on the user and SSH directories are critical to securing an SSH environment. Misconfigured permissions on these directories and files can lead to unauthorized access and potential data breaches. By following best practices and auditing SSH access regularly, you can prevent security issues, ensuring your system remains secure and accessible only

Picture of somyanegi321

somyanegi321

Leave a Comment

Your email address will not be published. Required fields are marked *

Suggested Article

Scroll to Top