Ssh – What’s the logic of default permissions of /etc/ssh/ssh_known_hosts

permissionsSecurityssh

By default, Debian and Ubuntu (at least) set /etc/ssh/ssh_known_hosts without read permission for others. What's the logic behind that? I can't think of any security risks with o+r, and, on the other hand, having it publicly readable is useful for admin-distributed files.

Best Answer

I would argue that the point of blocking access to that file is to prevent a intruder who has compromised your system from getting a list of hosts that your system my have access to. The similar logic applies to the HashKnownHosts option being enabled by default lately. You generally don't want your system to provide everything an intruder needs to get control of everything on your network.

If you only added hashed entries into your /etc/ssh/ssh_known_hosts I don't think it would really be as big of a deal since reversing the hash is not possible.

Related Solutions

SSH – Bad Owner or Permissions on ~/.ssh/config

I needed to have rw for user only permissions on config. This fixed it.

chmod 600 ~/.ssh/config

As others have noted below, it could be the file owner. (upvote them!)

chown $USER ~/.ssh/config

If your whole folder has invalid permissions here's a table of possible permissions:

Path	Permission
.ssh directory (code)	0700 (drwx------)
private keys (ex: `id_rsa`) (code)	0600 (-rw-------)
`config`	0600 (-rw-------)
public keys (*.pub ex: `id_rsa.pub`)	0644 (-rw-r--r--)
`authorized_keys` (code)	0644 (-rw-r--r--)
`known_hosts`	0644 (-rw-r--r--)

Sources:

openssh check-perm.c
openssh readconf.c
openssh ssh_user_config fix_authorized_keys_perms

Security – Our security auditor is an idiot. How to give him the information he wants

First, DON'T capitulate. He is not only an idiot but DANGEROUSLY wrong. In fact, releasing this information would violate the PCI standard (which is what I'm assuming the audit is for since it's a payment processor) along with every other standard out there and just plain common sense. It would also expose your company to all sorts of liabilities.

The next thing I would do is send an email to your boss saying he needs to get corporate counsel involved to determine the legal exposure the company would be facing by proceeding with this action.

This last bit is up to you, but I would contact VISA with this information and get his PCI auditor status pulled.

Best Answer

Related Solutions

SSH – Bad Owner or Permissions on ~/.ssh/config

Security – Our security auditor is an idiot. How to give him the information he wants

Related Topic