Skip to content
EJR

Fix SSH Directory Permissions

By Elliot J. Reed

When moving your .ssh directory to a new computer, incorrect file permissions can prevent SSH from working and create security vulnerabilities. This guide shows you how to correctly set SSH permissions on Linux and Mac.

SSH is strict about file permissions for security reasons. If your SSH keys or config files have permissions that are too open, SSH will refuse to use them, displaying errors like Permissions 0644 for '/home/user/.ssh/id_rsa' are too open or simply refusing to connect. This commonly happens when copying your .ssh directory from another computer, extracting from a backup, or moving files between operating systems.

Understanding SSH Permission Requirements

SSH requires specific permissions to ensure your private keys remain secure:

  • Private keys must only be readable by you (owner)
  • The .ssh directory should only be accessible by you
  • Public keys can be more permissive as they're meant to be shared
  • Config and authorized_keys should only be readable/writable by you

Setting Correct SSH Permissions Step-by-Step

Here's how to fix SSH permissions for each file type. These commands should be run from your home directory or use the full path to your .ssh directory.

1. Fix .ssh Directory Permissions

Set .ssh directory permissions
chmod 700 ~/.ssh/

This sets the .ssh directory to 700 (read, write, and execute for owner only). The directory needs execute permissions so you can access files inside it. This prevents other users on the system from reading your SSH configuration or keys.

2. Fix Private Key Permissions

Set private key permissions
chmod 600 ~/.ssh/id_rsa

This sets your private key to 600 (read and write for owner only). Private keys must never be readable by other users. If you have multiple private keys (like id_ed25519 or id_ecdsa), apply the same permissions to each one.

3. Fix Config File Permissions

Set config file permissions
chmod 600 ~/.ssh/config

This sets your SSH config file to 600. The config file may contain sensitive information like hostnames, usernames, and key file locations, so it should only be accessible to you.

4. Fix Public Key Permissions

Set public key permissions
chmod 644 ~/.ssh/id_rsa.pub

This sets your public key to 644 (read and write for owner, read-only for group and others). Public keys are meant to be shared, so they can be more permissive. However, only the owner should be able to modify them.

5. Fix authorized_keys Permissions

Set authorized_keys permissions
chmod 600 ~/.ssh/authorized_keys

This sets authorized_keys to 600. This file contains public keys that are allowed to authenticate to your account, so only you should be able to read or modify it.

Convenient Shell Function

Instead of running each command individually, you can create a shell function that fixes all SSH permissions at once. Add this function to your .bashrc or .zshrc file:

fixsshpermissions
function fixsshpermissions() {
  chmod -R 700 ~/.ssh/
  chmod 600 ~/.ssh/id_rsa
  chmod 600 ~/.ssh/config
  chmod 644 ~/.ssh/id_rsa.pub
  chmod 600 ~/.ssh/authorized_keys
}

After adding this to your shell configuration file (e.g., nano ~/.bashrc or nano ~/.zshrc), remember to reload your configuration with source ~/.bashrc or source ~/.zshrc. Then you can simply type fixsshpermissions in your terminal to set all SSH permissions correctly in one go.

The function uses chmod -R 700 first to recursively set all files and directories within .ssh to restrictive permissions, then applies the appropriate specific permissions to each file type. This ensures that even if you have additional key files or subdirectories, they'll start with secure permissions.

Frequently Asked Questions

Why is SSH so strict about file permissions?

SSH enforces strict file permissions to prevent security breaches. If your private key is readable by other users on the system, they could potentially copy it and impersonate you when connecting to remote servers. SSH refuses to use keys with overly permissive permissions as a safeguard against accidental exposure. This is especially important on shared systems or multi-user computers where multiple people have accounts.

What if I have different key file names?

Modern SSH supports multiple key types with different naming conventions. Common private key names include id_rsa, id_ed25519, id_ecdsa, and id_dsa. Apply chmod 600 to all your private key files. The corresponding public keys (with .pub extension) should use chmod 644. You can use a wildcard like chmod 600 ~/.ssh/id_*[!.pub] to set permissions on all private keys at once, or modify the function above to include your specific key files.

Do these permissions work on Windows?

Windows handles file permissions differently than Unix-like systems (Linux and Mac). If you're using Windows Subsystem for Linux (WSL) or Git Bash, these chmod commands will work. For native Windows SSH (in PowerShell or Command Prompt), you'll need to use Windows' file property security settings or the icacls command to ensure only your user account has access to the private keys. Windows SSH is generally more lenient about permissions, but it's still good practice to restrict access to your .ssh directory and private keys to your user account only.

What if I still get permission errors after fixing permissions?

If you're still experiencing issues after setting correct permissions, check the following: ensure your home directory itself isn't world-writable (chmod 755 ~), verify the ownership of files with ls -la ~/.ssh (they should be owned by your user), check for SELinux or AppArmor contexts on Linux systems (restorecon -R -v ~/.ssh on SELinux systems), and examine SSH client logs with ssh -v for detailed error messages. Sometimes server-side .ssh directory permissions can also cause issues, so verify those match the requirements above as well.