File and Directory Permissions

To help ensure secure authentication, and prevent tampering, information leakage and spoofing, files and directories used by the client and server must be configured with correct permissions and ownership. If these conditions aren't met, Secure Shell connections and public key authentication may fail.

NOTE:

The StrictModes setting helps ensure enforcement of a satisfactory level of security and is enabled by default on both the server and the client.
Files must be owned by root or by the owner of the home directory in which the files reside.
Where permission requirements are enforced, the permissions must be at the level indicated in the table below, or more restrictive (less than or equal to the octal value shown in brackets).
Files and directories shown in parentheses are the defaults.

Client-side files and directories

File or Directory	Maximum Security	Required when StrictModes = no	Required when StrictModes = yes
Secure Shell directory (~/.ssh2/)	700	No requirements	User-only write access [755]
User home directory and All parent directories	744 755	No requirements	User-only write access [755]
User’s private keys	600	User-only read/write access [600]	User-only read/write access [600]
User's public keys	600	No requirements	No requirements
User's identification file (~/.ssh2/identification)	600	No requirements	User-only write access [644]
User's host keys directory (~/.ssh2/hostkeys)	700	No requirements	No requirements
Host public key files	600	No requirements	No requirements
User's configuration file (~/.ssh2/ssh2_config)	600	No requirements	User-only write access [644]
Client PKI Services Manager public key (specified using PkidPublicKey)	600	No requirements	No requirements
Global configuration directory (/etc/ssh2/)	755	No requirements	No requirements
Global host keys directory (/etc/ssh2/hostkeys)	755	No requirements	No requirements
Global host public key files	644	No requirements	No requirements
Global user configuration file (/etc/ssh2/ssh2_config)	644	No requirements	No requirements

Server-side files and directories (user-specific)

File or Directory	Maximum Security	Required when StrictModes = no	Required when StrictModes = yes
Secure Shell directory (~/.ssh2/)	700	No requirements	User-only write access [755]
User home directory and all parent directories	744 755	No requirements	User-only write access [755]
User's authorization file on the server (~/.ssh2/authorization)	600	User-only write access [644]	User-only write access [644]
User’s secure shell environment file on the server (~/.ssh2/environment)	600	No requirements	No requirements
User's login behavior file (~/.hushlogin)	600	No requirements	No requirements

Server-side files and directories (global)

File or Directory	Maximum Security	Required when StrictModes = no	Required when StrictModes = yes
Server configuration directory (/etc/ssh2)	644	No requirements	No requirements
Server private key file (/etc/ssh2/hostkey)	600	Root-only read/write access [600]	Root-only read/write access [600]
Server public key file (/etc/ssh2/hostkey.pub	600	No requirements	No requirements
Server RADIUS authentication configuration file (/etc/ssh2/radius_config)	600	No requirements	No requirements
Subconfiguration file directory (/etc/ssh2/subconfig)	700	No requirements	No requirements
Subconfiguration files	600	No requirements	No requirements
Global Secure Shell environment file (/etc/ssh2/environment)	600	No requirements	No requirements
Client PKI Services Manager public key (specified using PkidPublicKey)	600	No requirements	No requirements
Server logs directory (/etc/ssh2/logs)	711	No requirements	No requirements
Server audit log files (/etc/ssh2/logs/sshd2-audit-*)	600	No requirements	No requirements