> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-6/credentials/filesystem-search/trick-0602.md).

# Access SSH Key from Another User's Directory

***

Check for misconfigured permissions on other user's home directories, specifically targeting their `.ssh` directory and private key file (`id_rsa`). Before attempting to read the key, you can check the file permissions to see if your current user has read access. The private key file should ideally have permissions set to `600` (`-rw-------`), meaning only the owner can read or write it. If permissions are set more permissively, such as `644` (`-rw-r--r--`), `664` (`-rw-rw-r--`), or `666` (`-rw-rw-rw-`), other users may be able to read the private key.

You can check the permissions using the `ls -l` command:

```bash
ls -l /home/<target_user>/.ssh/id_rsa
```

If the permissions allow read access by your user (indicated by an 'r' in the group or others field depending on your user's relation to the file), you can then extract the key.

```bash
cat /home/<target_user>/.ssh/id_rsa
```

If successful, the output will be the private key. Once the private key is obtained, it can be saved to a file (e.g., `id_rsa_stolen`) and used to authenticate via SSH as the target user on systems where the corresponding public key is authorized.

```bash
ssh -i id_rsa_stolen <target_user>@<target_host>
```

This relies on inadequate filesystem permissions allowing read access to sensitive files owned by other users.
