I use the latter. In most systems, the ssh process will refuse to execute if the modes on the ~/.ssh directory and the files therein were not set up properly. In my case, properly meant "only accessable by the user". I.e. 700 for ~/.ssh and 600 for all files within it. Since the local ssh does not access the *.pub files, they can be 644.
On Tue, Sep 24, 2013 at 3:38 PM, Paul Gilmartin <[email protected]>wrote: > On Tue, 24 Sep 2013 13:19:20 -0500, Kirk Wolf wrote: > > > >No, the sys admin can collect host public keys and put them in > >/etc/ssh/known_hosts for all users. > > > /etc/ssh/ssh_known_hosts? > > >This is the preferred method, and best practice would be to manage these > >enterprise wide and then automatically publish to all ssh client machines. > > > While we're here, what permissions do you recommend for ~/.ssh, etc.? > > I have: > total 66 > drwx--x--x 2 user 513 512 Sep 23 15:02 . > drwx--x--x 87 user 513 12288 Sep 24 14:27 .. > -rw------- 1 user 513 230 Aug 10 2012 authorized_keys > -rw------- 1 user 513 67 Aug 10 2012 environment > -rw------- 1 user 513 887 Jun 23 2008 id_rsa > -rw-r--r-- 1 user 513 230 Aug 10 2012 id_rsa.pub > -rw------- 1 user 513 14917 Sep 23 14:28 known_hosts > -rw------- 1 user 513 1024 Sep 23 15:02 prng_seed > > others recomment, perhaps phobically: > > total 66 > drwx------ 2 user 513 512 Sep 23 15:02 . > drwx--x--x 87 user 513 12288 Sep 24 14:27 .. > -rw------- 1 user 513 230 Aug 10 2012 authorized_keys > -rw------- 1 user 513 67 Aug 10 2012 environment > -rw------- 1 user 513 887 Jun 23 2008 id_rsa > -rw------- 1 user 513 230 Aug 10 2012 id_rsa.pub > -rw------- 1 user 513 14917 Sep 23 14:28 known_hosts > -rw------- 1 user 513 1024 Sep 23 15:02 prng_seed > > -- gil > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- 10 to the minus 6th power mouthwashes == 1 Microscope (from Slashdot.org) Maranatha! <>< John McKown ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
