0

I am new to the Linux world and trying to learn how to use SSH with LearnLinuxTV; the author, Jay, created a user ssh_config with:

Host myserv
  Hostname xxx.xxx.x.xx
  Port 22
  User root

I can connect via ssh [email protected] with the following in ~/.ssh/config:

Host sshtrainingserver
  tty.sdf.org
  Port 22
  User gusop

  • After saving the file, I can't ssh sshtrainingserver or ssh [email protected] to work, always getting the following error; however, after deleting config, ssh works again.

    Bad owner or permissions on /home/gusop/.ssh/config

  • ls -l ~/.ssh/config:

    -rw-rw-r--  1 Gusop Gusop 108 Mar 12 10:42  config


Could you please explain what is happening, as it feels like SSH doesn't like the config file?

JW0914
  • 7,052
  • 7
  • 27
  • 48
Gusop
  • 1
  • 1
  • What is the output of `ls -l /home/gusop/.ssh/config`? Please [edit] the question and this information to the question body. – Kamil Maciorowski Mar 12 '22 at 09:32
  • My `ssh` accepts the `config` being `-rw-rw-r--`. You can try removing write access for the group (with `chmod g-w ~/.ssh/config`), in case your `ssh` is more restrictive. But possibly your problem has something to do with [the dot](https://superuser.com/q/230559/432690). If so, further investigation may be required. Unfortunately I cannot help you because I'm not familiar with SELinux. Hopefully someone else will help. Good luck. – Kamil Maciorowski Mar 12 '22 at 09:55
  • It may have been a copy/paste typo, but your `~/.ssh/config` is missing `hostname` next to the FQDN [`tty.sdf.org`]. @KamilMaciorowski user `ssh_config` [`~/.ssh/config`] shouldn't be writeable by anyone but the user \[[man page](https://man.openbsd.org/ssh_config#FILES)\] – JW0914 Mar 12 '22 at 14:18
  • @JW0914 I had seen the manual, I had even composed an answer similar to yours. *But* before I publish, I *do* test. So I have tested. It turns out that in my Kubuntu `664` *does not* make `ssh` fail (while `666` does). Therefore I'm not sure if "by others" in the manual means "by others than the user" or "by others" in the context of `chmod`'s user-group-*others*. Or maybe Debian derivatives are different? *If* the OP's `ssh` is like mine, changing the permissions from `664` to `644` will make no difference. *Maybe* it's not like mine, but hopefully now you understand my doubts. – Kamil Maciorowski Mar 12 '22 at 14:22
  • @KamilMaciorowski It would be helpful if OpenSSH clarified that a bit better in their man page. I personally would recommend `600` if that works, unless there's a specific reason for the group or others to have read access to it _(I'm not on a machine I can test that on at the moment)_ – JW0914 Mar 12 '22 at 14:27

2 Answers2

0

The config files and private keys of ssh are a severe security risk to your account if they are writable by other users, so ssh will refuse to use them if the directory they are in or the files are writable by other users (or the private key is readable by others).

You need to chmod g-w on the file after you create it for ssh to use it.

This is needed because the default umask leaves group write on to make working in groups convenient. It's probably not that much of a risk in general because there's probably no other users in your group (or you are aware of it if there are), but it's also good for ssh to be paranoid.

user10489
  • 1,173
  • 1
  • 5
  • 10
0

Per the ssh_config man page, permissions must be 600 || 644 for the user config:

~/.ssh/config:
This is the per-user configuration file. The format of this file is described above. This file is used by the SSH client. Because of the potential for abuse, this file must have strict permissions: read/write for the user, and not writable by others.

Whereas the system-wide ssh_config must be world readable (usually 644):

/etc/ssh/ssh_config:
Systemwide configuration file. This file provides defaults for those values that are not specified in the user's configuration file, and for those users who do not have a configuration file. This file must be world-readable.

JW0914
  • 7,052
  • 7
  • 27
  • 48