Should the permission stays 744 for ~/.ssh/config ?

[s82522658]

docs/development/gerrit-setup.md

Line 62 in 8d4906e

- Ensure proper permissions for for your .ssh directory: `chmod 600 ~/.ssh/*`

Hi,
I'm currently following your doc to setup my environment.
Should this be changed to "chmod 600 ~/.ssh/ && chmod 744 ~/.ssh/config" to ensure the config file remains readable?

Thank you so much.

[jk-ozlabs]

0744 would imply executable, which we definitely don't want. Do you mean 0644?

Is there something that needs it to be group- or world- readable?

[mdmillerii]

Note that chmod 600 ~/.ssh/ will break ssh. For directories x is searchable, meaning that you can access files contained in the directory. Read means that you can list the files in the directory itself. So the ~/.ssh directory needs to have at least 100 if not 700 for ease of use. The current and original article says

chmod 600 ~/.ssh/*

the trailing * says to apply to all contents found via reading the directory, not the directory itself (the . self and .. parent directories are excluded from *. note root implicitly has 600 to all files modulo capabilities such as CAP_SYS_DAC).

Other than excluding read and write from group and other, I don't know that read needs to be denied to others; it would seem to be a tradeoff between sharing configuration to others vs privacy slowing down a breach. In particular, this host config could give an attacker a reason to try an acquired token against a host mentioned in the config. This might be exposed via other means such as you have committed to our project or shell history files.