What's Actually Happening

You're trying to connect to a server using SSH key authentication, but SSH refuses to use your private key because its permissions allow other users on the system to read it. This is a security feature—SSH requires private keys to be readable only by the owner to prevent unauthorized access.

The Error You'll See

bash
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/home/user/.ssh/id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/home/user/.ssh/id_rsa": bad permissions
user@server: Permission denied (publickey).

The key is being ignored, so authentication falls back to other methods or fails entirely.

Why This Happens

SSH private keys contain sensitive cryptographic data. If other users can read your private key, they could potentially impersonate you on any server that accepts that key. The error shows 0644 which means:

  • Owner can read and write (6 = 4+2 = read+write)
  • Group can read (4 = read)
  • Others can read (4 = read)

SSH requires 0600 (owner read/write only) for private keys and 0644 for public keys.

Step 1: Check Current Permissions

Examine the permissions on your SSH directory and keys:

bash
ls -la ~/.ssh/

You'll see output like:

bash
drwxr-xr-x  2 user user 4096 Jan 15 10:00 .
drwxr-xr-x 30 user user 4096 Jan 15 09:00 ..
-rw-r--r--  1 user user 1766 Jan 15 10:30 id_rsa
-rw-r--r--  1 user user  400 Jan 15 10:30 id_rsa.pub
-rw-r--r--  1 user user  222 Jan 14 16:00 known_hosts

The private key id_rsa shows -rw-r--r-- which is 0644—too open.

Step 2: Fix the SSH Directory Permissions

First, ensure the .ssh directory itself has correct permissions:

bash
chmod 700 ~/.ssh

This sets rwx------ (7 = 4+2+1), meaning only you can access the directory.

Step 3: Fix Private Key Permissions

Set the private key to be readable only by you:

bash
chmod 600 ~/.ssh/id_rsa

This sets rw------- (6 = 4+2), meaning only you can read and write the file.

Step 4: Verify Public Key Permissions

Public keys should be readable, so use:

bash
chmod 644 ~/.ssh/id_rsa.pub

Step 5: Fix All Keys at Once

If you have multiple keys, fix them all:

bash
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_*
chmod 644 ~/.ssh/*.pub
chmod 644 ~/.ssh/known_hosts
chmod 600 ~/.ssh/config

Step 6: Verify the Fix

Check that permissions are now correct:

bash
ls -la ~/.ssh/

You should see:

bash
drwx------  2 user user 4096 Jan 15 10:00 .
-rw-------  1 user user 1766 Jan 15 10:30 id_rsa
-rw-r--r--  1 user user  400 Jan 15 10:30 id_rsa.pub

Now test your SSH connection:

bash
ssh -v user@server.com

The verbose output should show your key being offered and accepted without permission warnings.

Verify the Fix

Your SSH keys are properly secured when:

  1. 1.ls -la ~/.ssh/ shows drwx------ for the directory
  2. 2.Private keys show -rw------- (600)
  3. 3.Public keys show -rw-r--r-- (644)
  4. 4.SSH connections work without permission errors
  5. 5.ssh -v shows "Trying private key" and "Authentication succeeded"

On macOS specifically, if permissions keep reverting, you may need to check for extended attributes:

bash
xattr -l ~/.ssh/id_rsa

Remove problematic attributes if present:

bash
xattr -d com.apple.quarantine ~/.ssh/id_rsa