The SSH "no such identity" error appears when SSH cannot find the private key file specified in your config or command. Fix it by verifying the key exists and correcting its path.
When SSH (or tools that use SSH like Git, rsync, or Terraform) attempts to authenticate with a remote server, it tries to load private keys from locations specified in your SSH configuration or command-line arguments. This error appears when SSH looks for a key file at the specified path and finds nothing—either the file was deleted, moved to a different location, the path is incorrect, or you haven't generated SSH keys yet. The error is typically harmless when it appears during connection attempts (SSH tries multiple configured keys), but if it's the only authentication method available, the connection will fail. In verbose SSH output (using the -v flag), you'll see this as a "debug3" message for each missing key it tries.
List all files in your .ssh directory to see what keys are available:
ls -la ~/.ssh/You should see files like:
- id_rsa and id_rsa.pub (RSA keys)
- id_ed25519 and id_ed25519.pub (Ed25519 keys - modern, recommended)
- id_ecdsa and id_ecdsa.pub (ECDSA keys)
If you see the key file you need, the issue is a path problem (see next steps). If no keys exist, generate new ones.
If no keys exist, generate a new key pair using ssh-keygen:
# Generate Ed25519 key (modern, recommended)
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N ""
# Or if you need RSA compatibility:
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -N ""Explanation:
- -t ed25519 - Key type (Ed25519 is faster, smaller, and more secure than RSA)
- -f ~/.ssh/id_ed25519 - Full path where to save the key
- -N "" - No passphrase (empty string). For security, consider using a passphrase instead
After generation, verify the keys were created:
ls -la ~/.ssh/id_*If your keys exist but SSH can't find them, the path in ~/.ssh/config might be wrong.
Edit your SSH config:
nano ~/.ssh/configLook for IdentityFile entries and ensure they use absolute paths starting with ~/ or full paths:
# WRONG - relative path
Host github.com
IdentityFile id_rsa
# CORRECT - absolute path with ~
Host github.com
IdentityFile ~/.ssh/id_rsa
AddKeysToAgent yes
IdentitiesOnly yesMake sure:
- Use ~/.ssh/keyname not just keyname
- Match the actual filename in your .ssh directory
- Set proper permissions on the config file:
chmod 600 ~/.ssh/config
chmod 700 ~/.sshIf specifying the key with the -i flag, ensure the path is correct:
# WRONG - file not found
ssh -i id_rsa [email protected]
ssh -i /home/user/.ssh/id_rsa [email protected] # (if path doesn't match actual location)
# CORRECT
ssh -i ~/.ssh/id_ed25519 [email protected]
ssh -i /full/path/to/.ssh/id_ed25519 [email protected]For Git, git clone has no -i/key flag of its own—you tell the underlying SSH which key to use. Configure it for a single command via GIT_SSH_COMMAND:
GIT_SSH_COMMAND="ssh -i ~/.ssh/id_ed25519" git clone [email protected]:user/repo.gitOr configure Git to always use a specific key for SSH operations:
git config --global core.sshCommand "ssh -i ~/.ssh/id_ed25519"The cleanest approach, however, is to set the key per-host in ~/.ssh/config (see the previous step) so Git, rsync, and ssh all pick it up automatically.
Using ssh-add makes your key available to all SSH clients without specifying -i each time:
# Add key to agent
ssh-add ~/.ssh/id_rsa
# Or for Ed25519:
ssh-add ~/.ssh/id_ed25519
# List keys currently in agent
ssh-add -l
# Add all keys from ~/.ssh (if they follow standard naming)
ssh-addIf the key is password-protected, ssh-add will prompt you once per session. After adding, SSH and Git will automatically use this key.
On macOS, you can also store the passphrase in the keychain:
ssh-add --apple-use-keychain ~/.ssh/id_rsaSSH is strict about file permissions for security reasons. Incorrect permissions can make SSH ignore key files.
Check permissions:
ls -l ~/.ssh/id_rsaShould show: -rw------- 1 user group (permissions 600)
Fix if needed:
# Fix private key file permissions
chmod 600 ~/.ssh/id_rsa
# The public key can be world-readable
chmod 644 ~/.ssh/id_rsa.pub
# Fix .ssh directory permissions
chmod 700 ~/.ssh
# Verify
ls -la ~/.ssh/If permissions are wrong, SSH silently ignores the key, which manifests as the "no such identity" error in debug output.
If you recently moved or copied SSH keys, check all places they might be referenced:
1. Check SSH config entries:
grep -n "IdentityFile" ~/.ssh/config2. Check Git config (if using Git):
git config --global core.sshCommand3. Check environment variables:
echo $SSH_AUTH_SOCK # SSH agent socket
echo $GIT_SSH_COMMAND # Per-shell Git SSH override4. Check CI/CD or deployment configurations if this is in a pipeline context (GitHub Actions, GitLab CI, etc.)
Update all references to point to the new location of your keys.
SSH Agent Forwarding: If connecting through a bastion host or jump server, you can use SSH Agent forwarding (-A flag or ForwardAgent yes). Be aware that agent forwarding lets the intermediate host use your agent socket, so a compromised host can hijack it—prefer ProxyJump (ssh -J bastion destination) which never exposes your agent to the bastion.
SELinux/AppArmor Issues: On servers with mandatory access control (CentOS/RHEL with SELinux, or Ubuntu with AppArmor), SSH might not be able to read authorized_keys or other files. Check with sudo dmesg | grep apparmor or sudo audit2why if SSH hangs or fails unexpectedly.
Windows/WSL Considerations: On Windows Subsystem for Linux, SSH keys should be stored in the WSL filesystem (not the mounted Windows drive) and should have 600 permissions. Keys on the Windows mount often lose their permissions and cause "no such identity" errors.
Ed25519 vs RSA: Modern systems prefer Ed25519 keys (smaller, faster, equally secure). Some older systems only support RSA. If a server rejects your Ed25519 key, try generating an RSA key as a fallback.
Debugging with Verbose Output: Use ssh -vvv (triple verbose) to see exactly which identity files SSH tries and which one it finds. This is invaluable for troubleshooting path issues:
ssh -vvv [email protected] 2>&1 | grep -i identitysign_and_send_pubkey: no mutual signature supported
How to fix "sign_and_send_pubkey: no mutual signature supported" in SSH
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
How to fix SSH man-in-the-middle attack warning in SSH
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
How to fix "WARNING: UNPROTECTED PRIVATE KEY FILE!" in SSH
sign_and_send_pubkey: signing failed for RSA from agent: agent refused operation
How to fix "sign_and_send_pubkey: signing failed for RSA from agent: agent refused operation" in SSH
Bad owner or permissions on /home/user/.ssh/known_hosts
How to fix "Bad owner or permissions on known_hosts" in SSH