Ubuntu SSH authorized_keys file permissions

Setting the correct file permissions on your authorized_keys file in Ubuntu is critical for securing your SSH connections and ensuring key-based authentication works. This guide details the exact permission settings required for both the .ssh directory and the authorized_keys file, explains why SSH enforces these rules, and provides the commands to apply them.

Required Permissions and Ownership

For SSH key-based authentication to function securely on Ubuntu, the SSH daemon (sshd) enforces strict permission requirements. If the permissions are too permissive (i.e., other users can read or write to them), SSH will reject the key and fall back to password authentication.

The precise permissions required are:

Commands to Set Correct Permissions

If you are experiencing connection issues or setting up SSH for the first time, run the following commands in the terminal to apply the correct permissions:

  1. Set the correct ownership for the .ssh directory and its contents:

    chown -R $USER:$USER ~/.ssh

  2. Set the permissions for the .ssh directory to 700 (Owner-only access):

    chmod 700 ~/.ssh

  3. Set the permissions for the authorized_keys file to 600 (Owner-only read/write):

    chmod 600 ~/.ssh/authorized_keys

Why SSH Enforces These Permissions

These strict permissions are enforced by a configuration directive in the SSH daemon configuration file (/etc/ssh/sshd_config) called StrictModes, which is enabled (yes) by default.

If StrictModes is active, the SSH server will refuse to use public keys stored in any authorized_keys file that can be modified or read by other users on the system. This prevents unauthorized local users from adding their own public keys to your profile or tampering with your configuration.