Chmod 600 for SSH Keys
Learn why chmod 600 is required for SSH private keys. The SSH client enforces this permission for security. Essential guide.
Permission
600
rw-------
chmod 600 filename
Permission Breakdown
| Role | Read (4) | Write (2) | Execute (1) | Octal | Meaning |
|---|---|---|---|---|---|
| Owner | r | w | - | 6 | read, write |
| Group | - | - | - | 0 | no permissions |
| Others | - | - | - | 0 | no permissions |
Visual Permission Grid
Detailed Explanation
The permission 600 is mandatory for SSH private key files. The SSH client will refuse to use a private key if its permissions are too open.
Octal breakdown:
- 6 (Owner): read (4) + write (2) = read and write
- 0 (Group): no access
- 0 (Others): no access
In symbolic notation this is rw-------.
When you try to use an SSH key with permissions more open than 600, you will see this error:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This strict requirement exists because SSH private keys are the equivalent of passwords for server authentication. If another user on the system can read your private key, they can impersonate you on any server that trusts that key. The SSH client enforces 600 or stricter (like 400) as a security measure.
Files that must be 600: ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.ssh/id_ecdsa, and any other private key file. The ~/.ssh directory itself should be 700, and ~/.ssh/authorized_keys should be 644 or 600.
Use Case
Required for all SSH private key files (id_rsa, id_ed25519, id_ecdsa, PEM files). The SSH client enforces this and will refuse to connect if the key has more open permissions.