[Cialug] SSH Host Key Permissions

Nicolai nicolai-cialug at chocolatine.org
Tue Mar 19 15:52:18 UTC 2019


On Tue, Mar 19, 2019 at 09:10:50AM -0400, Todd Walton wrote:

> I didn't generate those. I haven't touched them. So, that must be
> official, right? I can SSH to my workstation, so 0640 on the host keys
> must be okay. So I was generating ed25519 host keys yesterday by
> running this on a number of servers:

On my servers, all SSH host secret keys are 600, pubkeys are 640.

> if ! test -f /etc/ssh/ssh_host_ed25519_key; then ssh-keygen -f
> /etc/ssh/ssh_host_ed25519_key -t ed25519; fi

You should just do "ssh-keygen -A" on the servers.  It will do the right
thing.  Your operating system should actually do this for you.

Nicolai


More information about the Cialug mailing list