File and Directory Permissions

To help ensure secure authentication, and prevent tampering, information leakage and spoofing, files and directories used by the client and server must be configured with correct permissions and ownership. If these conditions aren't met, Secure Shell connections and public key authentication may fail.

Notes:

  • The StrictModes setting helps ensure enforcement of a satisfactory level of security and is enabled by default on both the server and the client.
  • Files must be owned by root or by the owner of the home directory in which the files reside.
  • Where permission requirements are enforced, the permissions must be at the level indicated in the table below, or more restrictive (less than or equal to the octal value shown in brackets).
  • Files and directories shown in parentheses are the defaults.

Client-side files and directories

File or
Directory

Maximum
Security

Required when
StrictModes = no

Required when
StrictModes = yes

Secure Shell directory (~/.ssh2/)

700

No requirements

User-only write access [755]

User home directory and
All parent directories

744
755

No requirements

User-only write access [755]

User’s private keys

600

User-only read/write access [600]

User-only read/write access [600]

User's public keys

600

No requirements

No requirements

User's identification file (~/.ssh2/identification)

600

No requirements

User-only write access [644]

User's host keys directory (~/.ssh2/hostkeys)

700

No requirements

No requirements

Host public key files

600

No requirements

No requirements

User's configuration file (~/.ssh2/ssh2_config)

600

No requirements

User-only write access [644]

Client PKI Services Manager public key (specified using PkidPublicKey)

600

No requirements

No requirements

Global configuration directory (/etc/ssh2/)

755

No requirements

No requirements

Global host keys directory (/etc/ssh2/hostkeys)

755

No requirements

No requirements

Global host public key files

644

No requirements

No requirements

Global user configuration file (/etc/ssh2/ssh2_config)

644

No requirements

No requirements

Server logs directory ()

711

711

711

Server audit log files

600

 

 

Server-side files and directories (user-specific)

File or
Directory

Maximum
Security

Required when
StrictModes = no

Required when
StrictModes = yes

Secure Shell directory (~/.ssh2/)

700

No requirements

User-only write access [755]

User home directory and
all parent directories

744
755

No requirements

User-only write access [755]

User's authorization file on the server (~/.ssh2/authorization)

600

User-only write access [644]

User-only write access [644]

User’s secure shell environment file on the server (~/.ssh2/environment)

600

No requirements

No requirements

User's login behavior file (~/.hushlogin)

600

No requirements

No requirements

Server-side files and directories (global)

File or
Directory

Maximum
Security

Required when
StrictModes = no

Required when
StrictModes = yes

Server configuration directory (/etc/ssh2)

644

No requirements

No requirements

Server private key file (/etc/ssh2/hostkey)

600

Root-only read/write access [600]

Root-only read/write access [600]

Server public key file (/etc/ssh2/hostkey.pub

600

No requirements

No requirements

Server RADIUS authentication configuration file (/etc/ssh2/radius_config)

600

No requirements

No requirements

Subconfiguration file directory (/etc/ssh2/subconfig)

700

No requirements

No requirements

Subconfiguration files

600

No requirements

No requirements

Global Secure Shell environment file (/etc/ssh2/environment)

600

No requirements

No requirements

Client PKI Services Manager public key (specified using PkidPublicKey)

600

No requirements

No requirements

Server logs directory (/etc/ssh2/logs)

711

No requirements

No requirements

Server audit log files (/etc/ssh2/logs/sshd2-audit-*)

600

No requirements

No requirements