This error occurs when the SSH agent refuses to sign a key operation, typically due to incorrect file permissions on your private key or agent authentication issues. It prevents SSH authentication even when the key exists locally.
When you attempt to SSH to a remote host, your SSH client asks the SSH agent (a background process) to sign a cryptographic challenge using your private key. The agent performs the authentication signature operation. If the agent refuses this operation, it means the key exists but the agent cannot or will not use it for signing—usually because the private key file has overly open permissions (readable by other users), violating SSH security requirements. The private key file must not be accessible to anyone except the file owner.
The most common cause is private key files with overly open permissions. Check your key permissions:
ls -l ~/.ssh/id_rsaThe output should show: -rw------- 1 user user (which is 0600 or 600 in octal).
If permissions are more open (for example -rw-r--r-- or -rwxrwxrwx), fix them immediately:
chmod 600 ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ecdsaAlso ensure ~/.ssh directory itself has correct permissions:
chmod 700 ~/.sshAfter fixing permissions, the agent should accept the key for signing.
After fixing permissions, re-add the key to the SSH agent:
ssh-add ~/.ssh/id_rsaIf your key is password-protected, you'll be prompted to enter the passphrase.
To verify the key is now properly loaded:
ssh-add -lThis lists all keys the agent knows about. Your key should appear without any warnings.
If permissions are correct but the agent still refuses operations, the agent process may be stuck. Kill and restart it:
pkill ssh-agent
eval $(ssh-agent -s)Then re-add your key:
ssh-add ~/.ssh/id_rsaTry your SSH connection again.
If you're using a hardware security key, the error may indicate the key requires physical confirmation (tap/touch):
ssh-add ~/.ssh/id_rsa # Add the key
ssh [email protected] # Attempt connection, watch for confirmation promptWhen prompted, physically confirm on your hardware key (press button, tap sensor, etc.). If using YubiKey over SSH, ensure you tap the key when the authentication prompt appears.
If the agent shows "no identities" even after adding the key:
ssh-add -lYour hardware key vendor may require additional configuration. Check their SSH integration documentation.
As a temporary workaround, you can skip the SSH agent and use the key directly:
ssh -o IdentityAgent=none -i ~/.ssh/id_rsa [email protected]This tells SSH to ignore the agent and authenticate directly with the specified key file. This works only if the key file permissions are correct (600) and the key is not password-protected (or you accept being prompted for the passphrase).
To make this permanent for all connections, add it to ~/.ssh/config:
Host *
IdentityAgent noneNote: This disables agent forwarding, which some workflows rely on.
If your SSH key is encrypted with a passphrase, the agent should prompt you when you add it. However, some SSH clients don't support password prompts in non-interactive sessions.
To check if your key is password-protected:
head -2 ~/.ssh/id_rsaIf the second line says Proc-Type: 4,ENCRYPTED, your key is password-protected.
For automated SSH (CI/CD, scripts), use an unencrypted key or an SSH agent that's already loaded:
# Load key with passphrase once
ssh-add ~/.ssh/id_rsa
# Then use SSH commands without prompts (agent handles authentication)Alternatively, generate an unencrypted key for automation (store safely!):
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_automation -N ""Ensure the public key on your local machine matches what's configured on the remote server:
cat ~/.ssh/id_rsa.pubCopy this output and verify it exists on the remote host in ~/.ssh/authorized_keys:
ssh [email protected] "grep 'YOUR_PUBLIC_KEY_HERE' ~/.ssh/authorized_keys"If the public key is not listed, add it:
cat ~/.ssh/id_rsa.pub | ssh [email protected] 'cat >> ~/.ssh/authorized_keys'After verifying/updating authorized_keys, permissions on the remote side also matter:
ssh [email protected] "chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys"Advanced troubleshooting:
SELinux and AppArmor: On systems with SELinux or AppArmor enabled, SSH agent communication may be blocked. Check security policy violations:
sudo tail -f /var/log/audit/audit.log | grep ssh-agentSSH Agent Forwarding: If using agent forwarding (-A flag), ensure both local and remote agents trust each other. Agent forwarding requires properly configured SSH sockets in SSH_AUTH_SOCK.
Rootless SSH: When SSH runs as a non-root user accessing files owned by root, agent operations may be refused. Use the same user context consistently.
macOS Keychain: macOS caches SSH passphrases in Keychain, but sometimes the Keychain entry becomes corrupted. Regenerate the entry:
ssh-add -K ~/.ssh/id_rsa # Re-add to KeychainWindows (WSL/Git Bash): On Windows, ensure your SSH key is in the correct location (e.g., C:\Users\USERNAME\.ssh\id_rsa for Git Bash) and has proper NTFS permissions (not world-readable).
Multiple Keys: If you have multiple keys with similar names, the agent may be trying the wrong one first. Use IdentitiesOnly to restrict which keys the agent tries:
Host github.com
IdentitiesOnly yes
IdentityFile ~/.ssh/github_keySomeone could be eavesdropping on you right now (man-in-the-middle attack)!
How to fix SSH man-in-the-middle attack warning in SSH
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
How to fix "WARNING: UNPROTECTED PRIVATE KEY FILE!" in SSH
sign_and_send_pubkey: no mutual signature supported
How to fix "sign_and_send_pubkey: no mutual signature supported" in SSH
Bad owner or permissions on /home/user/.ssh/known_hosts
How to fix "Bad owner or permissions on known_hosts" in SSH
It is required that your private key files are NOT accessible by others.
How to fix "private key files are NOT accessible by others" in SSH