ssh "permissions are too open"
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
The SSH error saying permissions are too open means your private key file or related directory is accessible to users other than the owner. SSH intentionally blocks this for security, because a world-readable private key defeats public-key authentication safety. Fixing the error requires setting strict file modes and confirming ownership on both client and sometimes remote server paths.
Core Sections
Understand what SSH is protecting
Private keys are credentials, not just config files. OpenSSH checks file and directory modes before using a key. If group or other users can read or write key material, SSH rejects the key to prevent accidental credential exposure.
Typical paths involved:
- private key such as
~/.ssh/id_rsaor~/.ssh/id_ed25519, - public key such as
~/.ssh/id_ed25519.pub, - SSH directory
~/.ssh, - remote
~/.ssh/authorized_keyswhen server-side login fails.
Apply correct local permissions on Unix-like systems
For Linux and macOS clients, use restrictive modes.
Then verify with:
Expected shape is owner-only directory and owner-only private key access.
Fix ownership problems as well as mode bits
Correct mode values are not enough if files are owned by the wrong user. This can happen after running commands with sudo in the home directory.
After ownership correction, reapply permission modes and reconnect.
Troubleshoot with verbose SSH output
If problem persists, use verbose mode to confirm which key path is being used and where permission check fails.
Verbose output often reveals surprises such as wrong key file, custom config path, or fallback key that still has open permissions.
Check SSH config references
~/.ssh/config may point to a key file outside default path. Ensure that referenced key has strict permissions too.
If IdentityFile points to another location, secure that file and its parent directory similarly.
Validate remote-side permission requirements
Sometimes local permissions are correct but server still rejects key because remote home or authorized_keys permissions are too open.
On the server, expected settings are commonly:
Also ensure remote home directory is not group-writable in hardened SSH configurations.
Windows and WSL note
On Windows native OpenSSH, ACLs replace Unix mode bits. Use icacls or file security settings to restrict private key to current user. In WSL, Unix permissions apply inside Linux filesystem. Avoid storing private keys on mounted drives with permissive metadata unless mount options enforce proper permissions.
Keep key handling operationally safe
Avoid copying private keys through shared chat or ticket systems. Rotate keys if exposure is suspected. For team systems, prefer dedicated service accounts and short-lived credentials where possible.
Document required permissions in onboarding instructions so new machines are configured consistently.
Confirm final authentication path
After permissions are fixed, run one clean test:
If login succeeds, remove temporary debug flags and keep one known-good key path documented.
Common Pitfalls
- Fixing key file mode but forgetting directory mode on
~/.ssh. - Running
chmodcorrectly but leaving file owned by root. - Debugging wrong key because SSH config points to another identity file.
- Checking only local key permissions while remote
authorized_keysremains insecure. - Storing private keys on filesystems that cannot enforce strict permission semantics.
Summary
- SSH rejects overly permissive key permissions by design for security.
- Set strict modes on key files and
~/.sshdirectory. - Verify ownership, not just mode bits.
- Use verbose SSH output to pinpoint failing key path.
- Check both local and remote permission requirements for full login success.
