Articles

Fix SSH Bad Permissions 0644 for id_rsa Private Key (2026)

April 6, 2026 5 min read

The SSH client is refusing to use your private key because its permissions are too permissive, allowing unauthorized access.

Here’s what’s actually broken: When you generate an SSH key pair, the private key file (id_rsa by default) needs to be inaccessible to anyone other than its owner. The SSH protocol enforces this strictly for security reasons. If the permissions are too broad (like 0644, which means owner can read/write, and group/others can read), the SSH client will reject the key, assuming it might have been compromised. It’s the client’s security guard dog barking, not a problem with the server itself.

Common Causes and Fixes:

  1. Incorrect chmod command used during key generation: This is the most frequent culprit. You might have accidentally set the permissions too wide.

    • Diagnosis: Run ls -l ~/.ssh/id_rsa. Look at the permission string at the beginning (e.g., -rw-r--r--). If it’s not -rw-------, this is likely the issue.
    • Fix: Execute chmod 600 ~/.ssh/id_rsa. This command changes the permissions so only the owner can read and write the file. The SSH client specifically requires this for private keys.
    • Why it works: Setting permissions to 600 ensures that only the user who owns the file can read or modify it, fulfilling the SSH client’s security requirement that the private key remains confidential.

  2. Permissions on the .ssh directory itself are too open: Even if id_rsa has correct permissions, if the .ssh directory is writable by others, SSH will also reject the key.

    • Diagnosis: Run ls -ld ~/.ssh. Check the permission string. It should ideally be drwx------ (700) or drwxr-xr-x (755), but crucially, it should not be writable by group or others.
    • Fix: Execute chmod 700 ~/.ssh. This sets the permissions for the .ssh directory so that only the owner can read, write, and execute (enter) the directory.
    • Why it works: This prevents other users on the system from listing the contents of your .ssh directory or creating/modifying files within it, which is another layer of security SSH mandates.

  3. Ownership issues on .ssh or id_rsa: If the files are owned by a different user than the one trying to use them, SSH will reject them. This can happen after copying files or changing user accounts.

    • Diagnosis: Run ls -ld ~/.ssh and ls -l ~/.ssh/id_rsa. Check the user and group columns. Ensure they match your current logged-in user.
    • Fix: Execute sudo chown $(whoami):$(whoami) ~/.ssh and sudo chown $(whoami):$(whoami) ~/.ssh/id_rsa. Replace $(whoami) with your actual username if sudo doesn’t interpret it correctly.
    • Why it works: SSH verifies that the user attempting to authenticate is the owner of the private key. Correcting ownership ensures this association is valid.

  4. SELinux or AppArmor restrictions: On systems with enhanced security modules like SELinux (common on RHEL/CentOS/Fedora) or AppArmor (common on Ubuntu/Debian), policies might prevent SSH from accessing files with even correct permissions if they are in an unexpected location or have incorrect security contexts.

    • Diagnosis: Check system logs for SELinux/AppArmor denials. For SELinux, use sudo ausearch -m avc -ts recent. For AppArmor, check /var/log/syslog or /var/log/audit/audit.log for relevant messages.
    • Fix (SELinux): Run sudo restorecon -Rv ~/.ssh. This command recursively resets the SELinux security context of the .ssh directory and its contents to the default, which usually allows SSH access.
    • Fix (AppArmor): You might need to adjust AppArmor profiles, which is more complex. A temporary workaround is sudo aa-complain /usr/bin/sshd (or ssh), but a permanent fix involves modifying the profile in /etc/apparmor.d/.
    • Why it works: SELinux and AppArmor enforce security policies beyond standard file permissions. Restoring the correct security context or adjusting profiles ensures that the SSH daemon has the necessary permissions to read the key file as dictated by the security module.

  5. SSH Agent issues (less common for this specific error): While not directly causing the "Bad Permissions" error on the key file itself, if you’re using ssh-agent and the agent has been started with incorrect permissions or is somehow compromised, it could indirectly lead to confusion or rejections. However, the 0644 error is almost always about the file system permissions.

    • Diagnosis: Check ssh-add -l to see if keys are loaded. Examine the permissions of the agent socket file (often in /tmp/ssh-XXXXXX/agent.XXXXXX).
    • Fix: Restart the SSH agent with eval $(ssh-agent -s) and re-add your key with ssh-add ~/.ssh/id_rsa. Ensure the SSH agent socket directory is also protected.
    • Why it works: Reinitializing the agent and re-adding the key ensures a clean state, and proper protection of the agent socket prevents unauthorized access to the keys managed by the agent.

  6. File system corruption or network mounts: In rare cases, issues with the underlying file system or how network mounts (like NFS) handle permissions can cause this.

    • Diagnosis: Check dmesg for file system errors. If .ssh is on an NFS mount, verify NFS export options and client mount options related to permissions.
    • Fix: Run fsck on the relevant partition (requires unmounting). For NFS, adjust no_root_squash or all_squash options on the server and corresponding uid/gid options on the client as needed.
    • Why it works: Ensures the file system correctly reports and enforces permissions, or that the network file sharing protocol correctly maps user identities and permissions.

After fixing the permissions on your ~/.ssh/id_rsa file to 600 and ensuring your ~/.ssh directory has 700 permissions, you should be able to connect. The next error you might encounter if other issues persist is "Permissions 0777 for 'authorized_keys' are too open."

More Deep Dives in Ssh

Want structured learning?

Take the full Ssh course →