SSH not working after creating ~/.ssh/config: "Bad owner or permission"

Question

I am new to the Linux world and trying to learn how to use SSH with LearnLinuxTV; the author, Jay, created a user ssh_config with:

Host myserv
  Hostname xxx.xxx.x.xx
  Port 22
  User root

I can connect via ssh gusop@tty.sdf.org with the following in ~/.ssh/config:

Host sshtrainingserver
  tty.sdf.org
  Port 22
  User gusop

• After saving the file, I can't ssh sshtrainingserver or ssh gusop@tty.sdf.org to work, always getting the following error; however, after deleting config, ssh works again.

  Bad owner or permissions on /home/gusop/.ssh/config
  

• ls -l ~/.ssh/config:

  -rw-rw-r--  1 Gusop Gusop 108 Mar 12 10:42  config
  

Could you please explain what is happening, as it feels like SSH doesn't like the config file?

Answer 1

The config files and private keys of ssh are a severe security risk to your account if they are writable by other users, so ssh will refuse to use them if the directory they are in or the files are writable by other users (or the private key is readable by others).

You need to chmod g-w on the file after you create it for ssh to use it.

This is needed because the default umask leaves group write on to make working in groups convenient. It's probably not that much of a risk in general because there's probably no other users in your group (or you are aware of it if there are), but it's also good for ssh to be paranoid.

Answer 2

Per the ssh_config man page, permissions must be 600 || 644 for the user config:

~/.ssh/config:
This is the per-user configuration file. The format of this file is described above. This file is used by the SSH client. Because of the potential for abuse, this file must have strict permissions: read/write for the user, and not writable by others.

Whereas the system-wide ssh_config must be world readable (usually 644):

/etc/ssh/ssh_config:
Systemwide configuration file. This file provides defaults for those values that are not specified in the user's configuration file, and for those users who do not have a configuration file. This file must be world-readable.