Protect SSH Keys from App Access

TL;DR

Apps shouldn’t be able to read your private SSH keys. This guide shows how to make sure they can’t, using file permissions and key agent forwarding.

How Apps Can Access Your Keys (and Why It’s Bad)

If an app has access to the ~/.ssh directory or its files, it could steal your SSH keys. This lets attackers log in to servers as you without needing your password.

Steps to Protect Your SSH Keys

1. Check File Permissions on ~/.ssh
   • The ~/.ssh directory should only be readable, writable and executable by *you*.
   • Use the following command to check:

   ls -ld ~/.ssh

   • You should see something like this (the username will be different):

   drwx------ 3 yourusername yourgroup 4096 Oct 26 10:00 .ssh

   • If the permissions are too open, fix them with:

   chmod 700 ~/.ssh

2. Check File Permissions on Private Keys
   • Your private key files (usually named id_rsa or similar) should *only* be readable by you.
   • Use this command to check:

   ls -l ~/.ssh/id_rsa

   • You should see something like this:

   -rw------- 1 yourusername yourgroup 2405 Oct 26 10:00 id_rsa

   • If the permissions are too open, fix them with:

   chmod 600 ~/.ssh/id_rsa

3. Use an SSH Agent
   • An SSH agent stores your decrypted private key in memory. Apps can then use the agent to authenticate without directly accessing the key file. This is much safer.
   • Start the agent (usually happens automatically when you log in). If not, try:

   eval "$(ssh-agent -s)"

   • Add your private key to the agent:

   ssh-add ~/.ssh/id_rsa

4. Avoid Key Agent Forwarding When Unnecessary
   • Key agent forwarding lets a remote server access your local SSH agent. This is convenient, but risky if the server is compromised.
   • Only use it when you absolutely need to (e.g., for Git operations over an untrusted network).
   • To disable forwarding in your ~/.ssh/config file, add:

   Host *
     ForwardAgent no

5. Be Careful with Apps Requesting Key Access
   • Think carefully before granting any app access to your ~/.ssh directory or files.
   • If an app asks for key access, research it thoroughly first.

Checking Your Setup

After following these steps, double-check the file permissions and make sure you’re using an SSH agent correctly.