Windows SSH: Permissions for 'private-key' are too open

122

I've OpenSSH 7.6 installed in Windows 7 for testing purposes. SSH client & server work just fine till I tried to access one of my AWS EC2 box from this windows.

It seems like I need to change the permission on the private key file. This can be easily done on unix/linux with chmod command.

What about windows?

private-key.ppm is copied directly from AWS and I guess the permission too.

C:\>ssh -V
OpenSSH_7.6p1, LibreSSL 2.5.3

C:\>ver

Microsoft Windows [Version 6.1.7601]

C:\>


C:\>ssh ubuntu@192.168.0.1 -i private-key.ppk
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'private-key.ppk' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "private-key.ppk": bad permissions
ubuntu@192.168.0.1: Permission denied (publickey).

C:\>
C:\>
C:\>ssh ubuntu@192.168.0.1 -i private-key.ppm
Warning: Identity file private-key.ppm not accessible: No such file or directory.
ubuntu@192.168.0.1: Permission denied (publickey).

C:\>

Sabrina

Posted 2018-02-18T05:10:44.880

Reputation: 1 703

Have you tried modifying the ACL? – Ignacio Vazquez-Abrams – 2018-02-18T05:12:50.040

1Is your private key actually in C:\ root path? I can see why it is complaining as usually things in C:\ are accessible by everyone. Have you tried moving it to a folder that only you as the user have access (eg. C:\Users\username\desktop) and see if that message still comes up? – Darius – 2018-02-18T05:19:34.203

@Darius, yes it is. When you copy a file from unix/linux to windows, the permission is copied as well. I need to change this but not sure how to do it on windows. This can be easily done on unix/linux with chmod command. – Sabrina – 2018-02-18T05:27:42.010

@IgnacioVazquez-Abrams, ACL? What kind of ACL? – Sabrina – 2018-02-18T05:28:19.530

The ACL. Of the private key. – Ignacio Vazquez-Abrams – 2018-02-18T05:29:13.023

1@Sabrina Either you use icacls command to change permission, or simply right click on the Private Key, and choose Properties, and check under "Security" tab. And make sure that it is only accessible by you / whoever supposed to be able to access the private key. If "Users" have read access - means anyone that have access to the system can read that private key. – Darius – 2018-02-18T05:30:24.577

You can usually sidestep this on Linux and Unix using chmod -R o-rwx ~/.ssh. That is, remove all permissions granted to other. For Windows remove Everyone from the .ssh/ and key ACLs. – jww – 2018-09-08T13:29:41.623

Answers

150

You locate the file in Windows Explorer, right-click on it then select "Properties". Navigate to the "Security" tab and click "Advanced".

Change the owner to you, disable inheritance and delete all permissions. Then grant yourself "Full control" and save the permissions. Now SSH won't complain about file permission too open anymore.

It should end up looking like this:

iBug

Posted 2018-02-18T05:10:44.880

Reputation: 5 254

2I'd just like to add 1) This method works on my Windows 10 (10.0.17134.191) box w/Cygwin ver CYGWIN_NT-10.0-WOW 2.3.1(0.291/5/3) 2015-11-14 12:42 and ssh ver OpenSSH_for_Windows_7.6p1, LibreSSL 2.6.4, and 2) Thanks! @iBug! – atreyu – 2018-07-28T15:10:57.477

IF the key file is on Thumb Drive / Flash disk, that Security tab is not available! – Dylan B – 2018-08-14T08:11:24.530

@DylanB Why'd you put credentials on a removable drive? (In fact, that tab is available only on NTFS filesystems - you can format your drive into NTFS easily). – iBug – 2018-08-14T09:53:36.937

14Actually, I did that and it still complains that 0777 permissions are too open. – Aaron Bramson – 2018-09-04T08:25:45.410

15Why is this so difficult on windows, can someone just add a --ignore-stupid-rule command option? – Liam Mitchell – 2018-12-20T20:57:21.500

How do you "change the owner to yourself", what do I type in? It doesn't accept my username or name or windows live email or anything. – stackers – 2019-02-10T21:17:54.717

1Thanks, worked like a charm. – giovannipds – 2019-09-02T17:46:02.933

Stupid, i don't have the permessions to do that..-_- – JohannSchwarz – 2019-11-29T12:15:31.500

Worked excellently, thanks – Rewanth Cool – 2020-02-07T03:13:54.580

Thanks a lot! This worked while everything on the internet had failed me until now. – Sergio Prats – 2020-02-11T23:26:44.870

Keys must only be accessible to the user they're intended for and no other account, service, or group.

GUI:
- [File] Properties - Security - Advanced
  1. Set Owner to the key's user
  2. Remove all users, groups, and services, except for the key's user, under Permission Entries
  3. Set key's user to Full Control

CLI:

:: # Set Variable ::
Set Key="C:\Path\to\key"

:: # Remove Inheritance ::
Cmd /c Icacls %Key% /c /t /Inheritance:d

:: # Set Ownership to Owner ::
Cmd /c Icacls %Key% /c /t /Grant %UserName%:F

:: # Remove All Users, except for Owner ::
Cmd /c Icacls %Key% /c /t /Remove Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users

:: # Verify ::
Cmd /c Icacls %Key%

JW0914

Posted 2018-02-18T05:10:44.880

Reputation: 2 135

What if the owner is actually a group? In my case, I have a file owned by network service so Cygwin thinks the permission is 0770 instead of 0700. – hyspace – 2018-11-12T21:29:41.323

A file must be owned by a user and a group, not just a group. Group permissions are the 3rd octal [user is the 2nd] in a four octal specification and SSH keys cannot be group or others accessible – JW0914 – 2018-11-13T03:16:04.253

That is the case of Unix. In Windows, network service can own a file and it is a group – hyspace – 2018-11-13T18:40:32.640

Cygwin allows POSIX API functionality on Windows, but it still operates under the rules of the native UNIX based programs (hence 3 & 4 octal permissions in a UGO setup). While you can open an issue on Microsoft's Win32-OpenSSH's GitHub, since SSH keys must be group and others inaccessible, having ownership in the way you describe is likely not supported. It's better to conform to a program's norm than attempt to configure it in a [likely] non-supported way. – JW0914 – 2018-11-16T13:52:45.980

1this should be correct answer. Thanks for CLI options. GUI always sucks in windows case. – shyammakwana.me – 2019-04-30T20:51:11.170

Thanks for the CLI example! In my case I had to add another thing in the remove action: "NT Authority\Authenticated Users". – botismarius – 2019-06-14T09:35:10.280

@botismarius Was the key in a folder other than the %UserProfile% or .ssh directory (%UserProfile%\.ssh)? IIRC Authenticated Users should not have default access to %UserProfile%; nonetheless, I have edited the answer to include Authenticated Users in the removal command. – JW0914 – 2019-06-14T11:11:46.987

@JW0914 indeed, my file was outside of %UserProfile% folder. – botismarius – 2019-06-15T13:26:56.520

In addition to the answer provided by ibug. Since i was using the ubuntu system inside windows to to run the ssh command. It still was not working. So i did

sudo ssh ...

and then it worked

Parv Sharma

Posted 2018-02-18T05:10:44.880

Reputation: 275

sudo should not be utilized to open an SSH session as it's a security risk. The only time (at least that I'm aware of) root's account should be utilized to open an SSH session is on single-user systems (i.e. normally found on router OS's [OpenWrt, DD-WRT, etc.] and other embedded systems). SSH keys must be accessible only to the user they're for and no other account, service, or group. – JW0914 – 2019-05-27T18:03:45.873

@JW0914 LOL I have a single-user Debian server and the sole (login) user is root. I don't think an extra non-root user is beneficial because it's my personal server and I login only when performing maintenance work. – iBug – 2019-10-28T05:12:48.703

@iBug Please re-read my comment, as it appears you entirely missed the second sentence... – JW0914 – 2019-10-28T12:02:28.270

I had the same problem, and it seems to be related to the version of SSH you're running.

If I type

where ssh

I get...

C:\Windows\System32\OpenSSH\ssh.exe
C:\Program Files\Git\usr\bin\ssh.exe

When I run ssh -V in both locations, I get

OpenSSH_7.5p1, without OpenSSL
OpenSSH_7.3p1, OpenSSL 1.0.2k  26 Jan 2017

...respectively

So, when I run ssh from the git/bin directory, it works fine and doesn't complain about the permissions, but running the same command line, using the former installation of SSH, it comes back with this.

Load key "t:\\mykeys\\rich-private.ppk": invalid format
banana@127.0.0.127: Permission denied (publickey).

ps. the permissions on the file are just full access for myself, and nothing else.

Rich S

Posted 2018-02-18T05:10:44.880

Reputation: 233

OpenSSH should not be installed to the Windows directory for whole host of reasons, from security, to it being a massive inconvenience should one need to fix a corrupted Windows directory either via DISM or using the Reset option (which has been improved to utilize the WinSxS directory versus reverting to the original install.esd). – JW0914 – 2018-07-09T19:40:18.673

This is what helped me, I never got the windows ssh version to work in this scenario, only Git's :( – cudacoder – 2019-03-07T00:27:32.847

This was also the fix for me. It seems Windows 10 Pro now bundles a pooched version of openssh. I was forced to remove the C:\Windows\System32\OpenSSH folder and add git's ssh.exe to PATH. – Shukri Adams – 2019-05-23T16:45:22.073

This "fixed" it for me, using C:\Program Files\Git\usr\bin\ssh.exe works as C:\Windows\System32\OpenSSH\ssh.exe does not – smartins – 2019-11-12T09:12:57.030

use below command on your key it works on windows

icacls .\private.key /inheritance:r
icacls .\private.key /grant:r "%username%":"(R)"

Walter Ferrao

Posted 2018-02-18T05:10:44.880

Reputation: 51

I had a similar issue but I was at work and don't have the ability to change file permissions on my work computer. What you need to do is install WSL then copy the your key to the hidden ssh directory in WSL:

cp <path to your key> ~/.ssh/<name of your key>

Now you should be able to modify the permissions normally.

sudo chmod 600 ~/.ssh/<your key's name>

Then ssh using WSL:

ssh -i ~/.ssh/<name of your key> <username>@<ip address>

JKauffman

Posted 2018-02-18T05:10:44.880

Reputation: 41

You need jsut 2 things:

1) Disable inheritance

2) Convert inherited permissions to explicit permissions

3) Remove Users group

4) You will end up with no Users can access private files, this should be enough to add id_rsa.

Artur Mustafin

Posted 2018-02-18T05:10:44.880

Reputation: 174

You can use icacls in windows instead of chmod to adjust file permission. To give the current user read permission and remove everything else,

icacls <file name> /inheritance:r
icacls <file name> /grant:r "%username%":"(R)"

manjuv

Posted 2018-02-18T05:10:44.880

Reputation: 21

This is just a scripted version of @JW0914's CLI answer, so upvote him first and foremost. Also, it is my first PowerShell script, so suggestions welcome.

# DO the following in powerhsell if not already done:
# Set-ExecutionPolicy RemoteSigned


# NOTE: edit the path in this command if needed
$sshFiles=Get-ChildItem -Path C:\DevContainerHome\.ssh -Force

$sshFiles | % {
  $key = $_
  & icacls $key /c /t /inheritance:d
  & icacls $key /c /t /grant %username%:F
  & icacls $key  /c /t /remove Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users
}

# Verify:
$sshFiles | % {
  icacls $_
}

bbarker

Posted 2018-02-18T05:10:44.880

Reputation: 276

A single line in CMD might do the trick (as described here: https://serverfault.com/a/883338/550334), i.e. adding the key from stdin instead of changing the permissons:

cat /path/to/permission_file | ssh-add -k

To check if key has been added:

ssh-add -l

majom

Posted 2018-02-18T05:10:44.880

Reputation: 111

Use Mingw-w64.

Infos: http://mingw-w64.org/doku.php

Download with Git for Windows, or directly.

Available here: https://github.com/mirror/mingw-w64

git clone https://github.com/mirror/mingw-w64

It also has other useful Linux commands like tar and gzip.

Dallas Clarke

Posted 2018-02-18T05:10:44.880

Reputation: 101

I'm a Window user, using the Windows's bash and followed all the steps to set permission using Windows GUI, and it still doesn't work and it complains:

Permissions 0555 for 'my_ssh.pem' are too open.
It is required that your private key files are NOT accessible by others.

The I added sudo at the front of the ssh command and it just works. Hope this is helpful to others.

Alex Ramses

Posted 2018-02-18T05:10:44.880

Reputation: 1

But do you login to the server as yourself or as root? – G-Man Says 'Reinstate Monica' – 2019-11-26T06:56:57.527

I run the Window bash terminal as myself, but I did 'Run as adminstrator' when I launch the Bash. – Alex Ramses – 2019-11-26T08:13:22.713

I couldn't get any of these answers working for me due to permission issues, so I'll share my solution:

Go to C:\Users\UserName.ssh
Copy and paste the id_rsa file
Rename it to something else, eg. example
Open the renamed file example and replace the key with your own private key
cd to that directory
Do ssh -i example example@127.0.0.1 and enter your password.

isopach

Posted 2018-02-18T05:10:44.880

Reputation: 101

-1

Answer by iBug works fine! You can follow that and get rid of this issue.

But there are few things which are needed to be cleared as I faced issues during setting up permissions and it took few minutes for me to figure out the problem!

Following iBug's answer, you'll remove all the permissions but how do you set Full Control permission to yourself? that's where I got stuck at first as I didn't knew how to do that.

After Disabling Inheritance, you'll be able to delete all allowed users or groups.

Once Done with that,

Click on Add then click on Set a Principal then enter System and Administrators and your email addredd in the field at bottom then click on check names.

It'll load the name if user exists. Then, Click on OK > Type Allow > Basic Permisisons Full Control > Okay

This will setup Full Control permission to SYSTEM, Administrators and Your User.

After that try to ssh using that key. It should be solved now.

I had same issue and I solved that using this method. If there's any user or group with that name then it'll load that.

-Screenshots-

Permission Entries Select a Principal/ Select User or Groups

lazycipher

Posted 2018-02-18T05:10:44.880

Reputation: 1