Right: /etc/ssh/ssh_known_hosts either way that you have on the permissions is fine.
Some files can only be readable by the owner or root (like private keys), and others can only be writable by the owner or root. In order to satisfy the "only writable" part, it is also required that any directory in the path to and including .ssh only be writable by the owner or root. Kirk Wolf Dovetailed Technologies http://dovetail.com On Tue, Sep 24, 2013 at 3:38 PM, Paul Gilmartin <paulgboul...@aim.com>wrote: > On Tue, 24 Sep 2013 13:19:20 -0500, Kirk Wolf wrote: > > > >No, the sys admin can collect host public keys and put them in > >/etc/ssh/known_hosts for all users. > > > /etc/ssh/ssh_known_hosts? > > >This is the preferred method, and best practice would be to manage these > >enterprise wide and then automatically publish to all ssh client machines. > > > While we're here, what permissions do you recommend for ~/.ssh, etc.? > > I have: > total 66 > drwx--x--x 2 user 513 512 Sep 23 15:02 . > drwx--x--x 87 user 513 12288 Sep 24 14:27 .. > -rw------- 1 user 513 230 Aug 10 2012 authorized_keys > -rw------- 1 user 513 67 Aug 10 2012 environment > -rw------- 1 user 513 887 Jun 23 2008 id_rsa > -rw-r--r-- 1 user 513 230 Aug 10 2012 id_rsa.pub > -rw------- 1 user 513 14917 Sep 23 14:28 known_hosts > -rw------- 1 user 513 1024 Sep 23 15:02 prng_seed > > others recomment, perhaps phobically: > > total 66 > drwx------ 2 user 513 512 Sep 23 15:02 . > drwx--x--x 87 user 513 12288 Sep 24 14:27 .. > -rw------- 1 user 513 230 Aug 10 2012 authorized_keys > -rw------- 1 user 513 67 Aug 10 2012 environment > -rw------- 1 user 513 887 Jun 23 2008 id_rsa > -rw------- 1 user 513 230 Aug 10 2012 id_rsa.pub > -rw------- 1 user 513 14917 Sep 23 14:28 known_hosts > -rw------- 1 user 513 1024 Sep 23 15:02 prng_seed > > -- gil > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN