This error occurs when SSH refuses to read your configuration file because it has incorrect file permissions or ownership. SSH strictly requires the .ssh directory and its contents to be readable only by your user account, not by group or others.
SSH is a security-sensitive application that validates file permissions before reading configuration files. The .ssh/config file contains sensitive information about your SSH connections, including host configurations and sometimes credential hints. To prevent unauthorized users from tampering with this file or accessing sensitive data, SSH enforces strict permission requirements: the .ssh directory must have 700 permissions (drwx------), the config file must have 600 permissions (-rw-------), and both must be owned by your user account. If SSH detects that these requirements aren't met, it refuses to use the configuration file to prevent potential security breaches.
The .ssh directory must have 700 permissions (owner read/write/execute only). Run:
chmod 700 ~/.sshVerify the permissions:
ls -ld ~/.sshShould show: drwx------ ... username
The config file must have 600 permissions (owner read/write only). Run:
chmod 600 ~/.ssh/configVerify the permissions:
ls -l ~/.ssh/configShould show: -rw------- 1 username groupname ...
If the file doesn't exist yet, SSH won't complain, but when you create one, ensure you set these permissions immediately.
The .ssh directory and all its contents must be owned by your user account. Run:
chown -R $USER ~/.sshVerify ownership:
ls -l ~/.sshAll files should list your username as the owner. If the group is different from your primary group, you can also fix it with:
chown -R $USER:$USER ~/.sshIf you have multiple files with permission issues, run all fixes together:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/config
chmod 600 ~/.ssh/authorized_keys
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pubCommon permissions for SSH files:
- ~/.ssh/ → 700 (drwx------)
- ~/.ssh/config → 600 (-rw-------)
- ~/.ssh/id_rsa (private key) → 600 (-rw-------)
- ~/.ssh/id_rsa.pub (public key) → 644 (-rw-r--r--)
- ~/.ssh/authorized_keys → 600 (-rw-------)
If you're on Windows (WSL or native OpenSSH), inherited permissions from parent directories can cause issues:
1. Open Windows Explorer and navigate to your .ssh folder (usually C:\Users\YourUsername\.ssh)
2. Right-click the .ssh folder → Properties
3. Click the Security tab → Click Advanced
4. Click "Disable inheritance" button
5. Choose "Remove all inherited permissions from this object"
6. Click OK
Then set explicit permissions:
- In Advanced Security Settings, click "Add"
- Click "Select a principal", then type your Windows username
- Click "Check Names"
- Give yourself Full Control
- Remove all other entries except SYSTEM
Click OK to apply and close all dialogs.
After fixing permissions, test that SSH works:
ssh -v localhostThe -v flag shows verbose output. If you see the error again, it will display which file has the problem. A successful connection will show:
...
debug1: Configuration found in /home/user/.ssh/config
...You can also test a specific SSH key or host:
ssh -i ~/.ssh/id_rsa username@remote-hostIf the error persists after fixing permissions, verify that you're using the correct username and that the .ssh directory path is correct (it should always be in your home directory).
Advanced considerations:
SSH Daemon vs. SSH Client: The error occurs in the SSH client when reading .ssh/config. The SSH daemon (sshd) has separate permission requirements for server-side files like /etc/ssh/sshd_config and ~/.ssh/authorized_keys.
Umask Settings: If you frequently recreate .ssh files, check your umask setting. A default umask of 0077 will create files with 600 permissions automatically. Set it with: umask 0077 or add to your shell RC file (.bashrc, .zshrc, etc.).
SSH Agent Permissions: If using SSH agent (ssh-agent), the socket directory /tmp/ssh-* must have 700 permissions. SSH is strict about this to prevent hijacking attacks.
WSL (Windows Subsystem for Linux): WSL can have permission issues due to Windows NTFS filesystem not supporting Unix permissions the same way. If you copied .ssh from Windows to WSL, you may need to manually fix permissions even though they appear correct in Windows Explorer. Run the chmod commands in WSL terminal.
NFS Mounted Home Directories: On systems where home directories are NFS-mounted, permission enforcement might differ. If you get the error despite having correct permissions shown by ls, contact your system administrator about NFS permission enforcement.
Git and SSH Config: When Git uses SSH (for cloning private repos), it reads your SSH config to find the appropriate key. This error will prevent Git from working with SSH-based repositories until fixed.
Load key "/home/user/.ssh/id_rsa": invalid format
How to fix 'Load key invalid format' in SSH
Error connecting to agent: Connection refused
How to fix "Error connecting to agent: Connection refused" in SSH
Connection closed by UNKNOWN port 65535
How to fix 'Connection closed by UNKNOWN port 65535' in SSH
Offending ECDSA key in /home/user/.ssh/known_hosts:line
How to fix "Offending ECDSA key in known_hosts" in SSH
bind: Address already in use
How to fix "bind: Address already in use" in SSH