Problem Description
When connecting from one server to another via SSH, you may encounter the following error:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0755 for '/root/.ssh/id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/root/.ssh/id_rsa": bad permissionsThe error clearly indicates the root cause: the permissions on the private key file (/root/.ssh/id_rsa) are too permissive, violating SSH security requirements.
Root Cause Analysis
The SSH protocol enforces strict security restrictions on private key file permissions. A private key file (e.g., id_rsa) must be readable and writable only by its owner. No other users (including group members) should have any access. The correct permission is typically 600 (i.e., -rw-------).
If permissions are set incorrectly (e.g., 755 or 644), the SSH client will refuse to use the key for security reasons, causing the connection to fail.
Solution
The core solution is to correct the private key file permissions. Follow these detailed steps and best practices.
Step 1: Fix Private Key File Permissions
On the client server (the one initiating the connection), run:
chmod 600 /root/.ssh/id_rsaThis sets the private key file to be readable and writable only by the root user.
Step 2: Ensure Correct .ssh Directory Permissions
In addition to the private key, the .ssh directory itself must have correct permissions. Typically, it should be 700 (drwx------).
chmod 700 /root/.sshStep 3: Use ssh-copy-id to Securely Copy the Public Key (Recommended)
To avoid permission issues from manually copying the public key, use the ssh-copy-id command. It automatically appends the public key to the target server's ~/.ssh/authorized_keys file and sets correct permissions.
Basic command format:
ssh-copy-id -i /root/.ssh/id_rsa.pub -p [port] root@[target_ip]Parameter explanation:
-i /root/.ssh/id_rsa.pub: Specifies the public key file path.-p [port]: Specifies the target SSH port. Omit if using the default port 22.root@[target_ip]: Target server username and IP address.
Example: For target IP 192.168.1.100 and port 2222:
ssh-copy-id -i /root/.ssh/id_rsa.pub -p 2222 [email protected]Enter the target root user's password when prompted.
Step 4: Verify Two-Way Passwordless Login (Optional)
For bidirectional passwordless SSH login between two servers, repeat the process on the other server:
- Generate an SSH key pair on the target server:
ssh-keygen -t rsa(use defaults). - Use
ssh-copy-idto copy the new public key back to the first server. - Ensure private key permissions are
600and.sshdirectory permissions are700on both servers.
Additional Notes & Best Practices
- Permission Check: After configuration, verify with
ls -la /root/.ssh/. - Security Advice: Avoid using the root user for SSH key login. Create a regular user with sudo privileges for daily operations and configure SSH keys under that account.
- Port Confirmation: If unsure of the target SSH port, check its config:
cat /etc/ssh/sshd_config | grep ^Port. - Applicability: These methods apply to Linux and macOS. For Windows with OpenSSH client, the permission logic is similar, but paths and commands may differ.
Following these steps will resolve the "WARNING: UNPROTECTED PRIVATE KEY FILE!" error and establish a secure SSH passwordless login channel.