This SSH error occurs when your private key file has permissions that allow other users to read it. SSH refuses to use the key for security reasons. The fix is to restrict the file permissions to owner-only access using chmod 600 or chmod 400.
The "Permissions are too open" error is a security safeguard built into SSH. When SSH detects that your private key file (like `id_rsa`, `id_ed25519`, or a `.pem` file) can be read by users other than yourself, it refuses to use that key for authentication. The permission mode 0644 (-rw-r--r--) means: - Owner can read and write (6) - Group members can read (4) - Everyone else can read (4) Since a private key should never be shared, SSH requires restrictive permissions. The key must only be readable by you. If anyone else on the system could read your private key, they could impersonate you on any server that trusts that key. This error commonly appears when: - Cloning repositories over SSH for the first time - Running `git push` or `git pull` to a remote using SSH - Using SSH keys copied from another system or backup - Keys generated on Windows and used on Linux/macOS - Keys stored on network drives or USB sticks with FAT32 formatting
First, identify the exact permissions on your private key file:
# Check permissions on the default RSA key
ls -la ~/.ssh/id_rsa
# Or for ED25519 keys
ls -la ~/.ssh/id_ed25519
# For custom key files
ls -la ~/.ssh/your_key_nameThe output shows permissions like:
- -rw-r--r-- (0644) - Too open, everyone can read
- -rwxr-xr-x (0755) - Too open, everyone can read and execute
- -rw------- (0600) - Correct, only owner can read/write
- -r-------- (0400) - Correct, only owner can read
If the middle and last groups have any permissions (not ---), the key is too open.
The standard fix is to restrict permissions so only you can read the key:
On Linux/macOS:
# Fix a specific key file
chmod 600 ~/.ssh/id_rsa
# Or make it read-only (more restrictive)
chmod 400 ~/.ssh/id_rsa
# Fix multiple keys at once
chmod 600 ~/.ssh/id_*
chmod 644 ~/.ssh/*.pub # Public keys can be readable by othersVerify the fix:
ls -la ~/.ssh/id_rsa
# Should show: -rw------- (0600) or -r-------- (0400)Permission breakdown:
- 600 = owner read+write, no group/other access
- 400 = owner read-only, no group/other access (more secure)
Both values work; 600 is more common as it allows you to modify the file later.
The .ssh directory itself also needs correct permissions:
# Set correct permissions on .ssh directory
chmod 700 ~/.ssh
# Verify
ls -la ~ | grep .ssh
# Should show: drwx------ (0700)Complete permission setup for SSH:
# Directory
chmod 700 ~/.ssh
# Private keys (no extension or custom names)
chmod 600 ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ecdsa
# Public keys (.pub files)
chmod 644 ~/.ssh/id_rsa.pub
chmod 644 ~/.ssh/id_ed25519.pub
# Config file
chmod 600 ~/.ssh/config
# Known hosts
chmod 644 ~/.ssh/known_hosts
# Authorized keys (for incoming SSH)
chmod 600 ~/.ssh/authorized_keysThe directory needs execute permission (7) because execute on a directory means you can access files inside it.
Windows doesn't use Unix-style permissions, but OpenSSH for Windows still checks file security:
Using Git Bash (recommended):
chmod 600 ~/.ssh/id_rsaUsing PowerShell:
# Remove inheritance and set owner-only access
$keyPath = "$env:USERPROFILE\.ssh\id_rsa"
# Remove all existing permissions
icacls $keyPath /inheritance:r
# Grant read permission only to current user
icacls $keyPath /grant:r "$($env:USERNAME):(R)"Using Windows GUI:
1. Right-click the key file and select "Properties"
2. Go to the "Security" tab
3. Click "Advanced"
4. Click "Disable inheritance" and choose "Remove all inherited permissions"
5. Click "Add" to add your user with "Read" permission only
6. Remove all other users/groups
Note: If using WSL (Windows Subsystem for Linux), keys in the Linux filesystem (/home/user/.ssh) work with chmod. Keys in the Windows filesystem (/mnt/c/Users/...) may need Windows permission tools.
After fixing permissions, test that SSH accepts the key:
Test SSH connection to GitHub:
ssh -T [email protected]Expected output:
Hi username! You've successfully authenticated, but GitHub does not provide shell access.Test SSH connection to GitLab:
ssh -T [email protected]Test SSH connection to Bitbucket:
ssh -T [email protected]Debug connection issues:
# Verbose output shows which keys SSH tries
ssh -vT [email protected]
# Very verbose for more detail
ssh -vvT [email protected]If the connection works, your Git operations over SSH should now succeed.
Some filesystems don't support Unix permissions, causing this error even after chmod:
FAT32/exFAT drives:
These filesystems don't store Unix permissions. Copy the key to a native filesystem:
# Copy from USB drive to home directory
cp /mnt/usb/id_rsa ~/.ssh/
chmod 600 ~/.ssh/id_rsaDocker containers:
Volume mounts may not preserve permissions. Options:
# Option 1: Copy key and fix permissions in Dockerfile
COPY id_rsa /root/.ssh/id_rsa
RUN chmod 600 /root/.ssh/id_rsa
# Option 2: Use secrets (Docker Swarm or Kubernetes)
# Option 3: Use ssh-agent forwarding instead of copying keysDocker Compose with correct permissions:
services:
app:
volumes:
- ~/.ssh/id_rsa:/root/.ssh/id_rsa:ro
# Note: :ro makes it read-only but doesn't fix permissionsNFS mounts:
NFS can map permissions. Check your NFS export options and mount options for no_root_squash or similar settings.
Why SSH Requires Strict Permissions:
SSH private keys are equivalent to passwords. If anyone on your system can read your private key, they can:
1. Authenticate as you to any server that trusts that key
2. Decrypt any data encrypted to your public key
3. Sign commits as you (if using SSH signing in Git)
4. Access your GitHub/GitLab/Bitbucket repositories
The permission check is in SSH, not Git. SSH refuses to use an insecure key regardless of the application calling it.
Permission Modes Explained:
-rw-r--r-- (0644) = 110 100 100 binary = 6 4 4 octal
↑↑↑ ↑↑↑ ↑↑↑
│││ │││ └── Others: read only
│││ └───── Group: read only
└──────── Owner: read + write
-rw------- (0600) = 110 000 000 binary = 6 0 0 octal
↑↑↑
└── Owner: read + write, no one else has accessSSH Config StrictModes:
SSH servers have a StrictModes option that enforces permission checks. While you can disable it (not recommended), the client-side check cannot be bypassed on modern SSH versions.
Multiple SSH Keys:
If you have multiple keys, make sure you're using the right one:
# Specify which key to use in ~/.ssh/config
Host github.com
HostName github.com
User git
IdentityFile ~/.ssh/github_key
IdentitiesOnly yesSSH Agent Alternative:
Instead of fixing file permissions, you can use ssh-agent:
# Start the agent
eval "$(ssh-agent -s)"
# Add your key (it will check permissions)
ssh-add ~/.ssh/id_rsa
# Now Git uses the agent, not the file directlyThe agent caches the decrypted key in memory, so the file permissions are only checked once when adding.
Git-Specific SSH Configuration:
Git uses the GIT_SSH_COMMAND environment variable or core.sshCommand config:
# Check current SSH command
git config --get core.sshCommand
# Use a specific key for a repository
git config core.sshCommand "ssh -i ~/.ssh/specific_key -o IdentitiesOnly=yes"CI/CD Best Practices:
In CI/CD environments, avoid storing SSH keys as files:
1. Use deploy keys with limited scope
2. Store keys in CI/CD secrets and write them at runtime with correct permissions
3. Use HTTPS with tokens instead of SSH where possible
4. Use ssh-agent forwarding from the runner
Example GitLab CI setup:
before_script:
- mkdir -p ~/.ssh
- chmod 700 ~/.ssh
- echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_rsa
- chmod 600 ~/.ssh/id_rsa
- ssh-keyscan github.com >> ~/.ssh/known_hostsDebugging Permission Issues:
# Check if SSH sees the key
ssh-add -l
# Check what permissions SSH expects
ssh -vvv [email protected] 2>&1 | grep -i "permission\|mode"
# Check file ownership (must be your user)
ls -la ~/.ssh/Ownership matters too - the key must be owned by your user, not root or another account.
fatal: bad object in rev-list input
Git rev-list encounters bad or invalid object
fatal: Out of memory, malloc failed during pack operation
Out of memory during Git pack operation
kex_exchange_identification: Connection closed by remote host
Connection closed by remote host when connecting to Git server
fatal: unable to access: Proxy auto-configuration failed
How to fix 'Proxy auto-configuration failed' in Git
fatal: unable to access: Authentication failed (proxy requires basic auth)
How to fix 'Authentication failed (proxy requires basic auth)' in Git