Permissions for SSH key are too open Windows

I've OpenSSH 7.6 installed in Windows 7 for testing purposes. SSH client & server work just fine till I tried to access one of my AWS EC2 box from this windows.

It seems like I need to change the permission on the private key file. This can be easily done on unix/linux with chmod command.

What about windows?

private-key.ppm is copied directly from AWS and I guess the permission too.

C:\>ssh -V
OpenSSH_7.6p1, LibreSSL 2.5.3

C:\>ver

Microsoft Windows [Version 6.1.7601]

C:\>


C:\>ssh  -i private-key.ppk
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'private-key.ppk' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "private-key.ppk": bad permissions
: Permission denied (publickey).

C:\>
C:\>
C:\>ssh  -i private-key.ppm
Warning: Identity file private-key.ppm not accessible: No such file or directory.
: Permission denied (publickey).

C:\>

asked Feb 18, 2018 at 5:10

11

You locate the file in Windows Explorer, right-click on it then select "Properties". Navigate to the "Security" tab and click "Advanced".

Change the owner to you, disable inheritance and delete all permissions. Then grant yourself "Full control" and save the permissions. Now SSH won't complain about file permission too open anymore.

It should end up looking like this:

MSC

5571 gold badge5 silver badges13 bronze badges

answered Feb 18, 2018 at 8:57

iBugiBug

9,3757 gold badges35 silver badges65 bronze badges

21

Keys must only be accessible to the user they're intended for and no other account, service, or group.

• GUI:
  [File] Properties → Security → Advanced
  1. Owner: The key's user
  2. Permission Entries: Remove all except for the key's user
  3. Set key's user to Full Control
• Cmd:

  ::# Set Key File Variable:
      Set Key="%UserProfile%\.ssh\id_rsa"
  
  ::# Remove Inheritance:
      Icacls %Key% /c /t /Inheritance:d
  
  ::# Set Ownership to Owner:
      :: # Key's within %UserProfile%:
           Icacls %Key% /c /t /Grant %UserName%:F
  
      :: # Key's outside of %UserProfile%:
           TakeOwn /F %Key%
           Icacls %Key% /c /t /Grant:r %UserName%:F
  
  ::# Remove All Users, except for Owner:
      Icacls %Key% /c /t /Remove:g "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users
  
  ::# Verify:
      Icacls %Key%
  
  ::# Remove Variable:
      set "Key="
  

  
  
• PowerShell:

  # Set Key File Variable:
    New-Variable -Name Key -Value "$env:UserProfile\.ssh\id_rsa"
  
  # Remove Inheritance:
    Icacls $Key /c /t /Inheritance:d
  
  # Set Ownership to Owner:
    # Key's within $env:UserProfile:
      Icacls $Key /c /t /Grant ${env:UserName}:F
  
     # Key's outside of $env:UserProfile:
       TakeOwn /F $Key
       Icacls $Key /c /t /Grant:r ${env:UserName}:F
  
  # Remove All Users, except for Owner:
    Icacls $Key /c /t /Remove:g Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users
  
  # Verify:
    Icacls $Key
  
  # Remove Variable:
    Remove-Variable -Name Key
  

answered Jun 8, 2018 at 15:34

22

In addition to the answer provided by ibug. Since i was using the ubuntu system inside windows to to run the ssh command. It still was not working. So i did

sudo ssh ...

and then it worked

answered Sep 8, 2018 at 13:27

Parv SharmaParv Sharma

6935 silver badges5 bronze badges

9

I had a similar issue but I was at work and don't have the ability to change file permissions on my work computer. What you need to do is install WSL then copy the your key to the hidden ssh directory in WSL:

cp <path to your key> ~/.ssh/<name of your key>

Now you should be able to modify the permissions normally.

sudo chmod 600 ~/.ssh/<your key's name>

Then ssh using WSL:

ssh -i ~/.ssh/<name of your key> <username>@<ip address>

Giacomo1968

50.8k18 gold badges159 silver badges204 bronze badges

answered Sep 6, 2019 at 18:17

JKauffmanJKauffman

5514 silver badges2 bronze badges

5

You just need to do at least four things:

1. Disable inheritance

1. Convert inherited permissions to explicit permissions

1. Remove Users group

1. You will end up with no Users can access private files, this should be enough to add id_rsa.

Matthew Lock

4,6212 gold badges34 silver badges42 bronze badges

answered Feb 16, 2019 at 21:58

4

use below command on your key it works on windows

icacls .\private.key /inheritance:r
icacls .\private.key /grant:r "%username%":"(R)"

answered Oct 4, 2019 at 13:28

4

This seems to be related to the version of OpenSSH you're running:

• where ssh returns:

  %WinDir%\System32\OpenSSH\ssh.exe
  %ProgramFiles%\Git\usr\bin\ssh.exe
  

  ssh -V returns:

  # %WinDir%\System32\OpenSSH\ssh.exe
    OpenSSH_7.5p1, without OpenSSL
  
  # %ProgramFiles%\Git\usr\bin\ssh.exe
    OpenSSH_7.3p1, OpenSSL 1.0.2k  26 Jan 2017
  

When running ..\Git\usr\bin\ssh.exe, it works fine and doesn't complain about the permissions, but running ..\OpenSSH\ssh.exe comes back with the following, even though key ACLs are Full Access for myself and nothing else:

load key "t:\mykeys\rich-private.ppk": invalid format
  : Permission denied (publickey).

answered Apr 5, 2018 at 11:53

Rich SRich S

3332 silver badges7 bronze badges

6

You can use icacls in Windows instead of chmod to adjust file permission. To give the current user read permission and remove everything else:

Icacls <file name> /Inheritance:r
Icacls <file name> /Grant:r "%Username%":"(R)"

answered Aug 12, 2019 at 12:39

manjuvmanjuv

1171 silver badge4 bronze badges

4

1. Copy the public and private keys to %userprofile%\.ssh
2. Use the batch script below after finding your keys from the cmd prompt with where *.pub:

   Md %Userprofile%\.ssh
     Copy PublicKey %Userprofile%\.ssh
     Copy PrivateKey %Userprofile%\.ssh
   
   Cd %Userprofile%\.ssh
     Icacls .\PublicKey  /Inheritance:r
     Icacls .\PrivateKey /Inheritance:r
     Icacls .\PublicKey  /Grant:r "%Username%":"(F)"
     Icacls .\PrivateKey /Grant:r "%Username%":"(F)"
   

3. Right-click each file → Properties → Security:
   Remove everyone except the user, setting the permissions for the user to Read

answered Apr 17, 2020 at 19:34

2

Here's the way to do it using Microsoft's tooling, avoiding the problem from the get-go. But it should also fix the issue, meaning you can follow these instructions with existing keys.

Start PowerShell/Terminal as Administrator and run the following:

Install-Module -Force OpenSSHUtils -Scope AllUsers

# Make sure the service isn't disabled
Get-Service -Name ssh-agent | Set-Service -StartupType Manual

# We need this service as ssh-add depends on it
Start-Service ssh-agent

cat ~\.ssh\example-key.ecdsa | ssh-add -k -

answered Oct 30, 2020 at 14:31

Louis WaweruLouis Waweru

23.4k37 gold badges128 silver badges196 bronze badges

2

A single line in CMD might do the trick; as described here, adding the key from stdin instead of changing the permissions:

cat /path/to/permission_file | ssh-add -k 

To check key has been added:

ssh-add -l

answered Nov 28, 2019 at 14:45

majommajom

1112 bronze badges

This is just a scripted version of @JW0914's CLI answer, so upvote him first and foremost:

# DO the following in powerhsell if not already done:
# Set-ExecutionPolicy RemoteSigned


# NOTE: edit the path in this command if needed
$sshFiles=Get-ChildItem -Path "$env:userprofile\.ssh" -Force

$sshFiles | % {
  $key = $_
  & icacls $key /c /t /inheritance:d
  & icacls $key /c /t /grant  "${echo $env:username}":F
  & icacls $key /c /t /remove Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users
}

# Verify:
$sshFiles | % {
  icacls $_
}

answered Oct 3, 2019 at 21:07

bbarkerbbarker

3063 silver badges9 bronze badges

I couldn't get any of these answers working for me due to permission issues, so I'll share my solution:

1. Go to %UserProfile%\.ssh
2. Copy and paste id_rsa, rename it to something else [example]
3. Open the renamed file [example] and replace the key with your own private key
4. cd to that directory
5. Enter your passphrase after issuing: ssh -i example

answered Feb 24, 2020 at 23:03

7

1. Download and unzip OpenSSH-Win64.zip (or Win32, depending on your system)
2. Execute FixUserFilePermissions.ps1 in PowerShell with administrator privilege

answered Mar 14, 2020 at 15:15

1

Answer by iBug works fine! You can follow that and get rid of this issue.

But there are few things which are needed to be cleared as I faced issues during setting up permissions and it took few minutes for me to figure out the problem!

Following iBug's answer, you'll remove all the permissions but how do you set Full Control permission to yourself? that's where I got stuck at first as I didn't knew how to do that.

After Disabling Inheritance, you'll be able to delete all allowed users or groups.

Once Done with that,

Click on Add then click on Set a Principal then enter System and Administrators and your email addredd in the field at bottom then click on check names.

It'll load the name if user exists. Then, Click on OK > Type Allow > Basic Permisisons Full Control > Okay

This will setup Full Control permission to SYSTEM, Administrators and Your User.

After that try to ssh using that key. It should be solved now.

I had same issue and I solved that using this method. If there's any user or group with that name then it'll load that.

-Screenshots-

Permission Entries Select a Principal/ Select User or Groups

answered Feb 8, 2019 at 14:20

2

I'm a Window user, using the Windows's bash and followed all the steps to set permission using Windows GUI, and it still doesn't work and it complains:

Permissions 0555 for 'my_ssh.pem' are too open.
It is required that your private key files are NOT accessible by others.

The I added sudo at the front of the ssh command and it just works. Hope this is helpful to others.

answered Nov 26, 2019 at 6:10

3

I had the same problem on Windows 10, and it arouse when I created a second user account on my machine.

Since that new user was also an administrator and It had access to my user folder, I did these steps to limit the access on my .ssh folder and it worked!

1. Navigate to your user folder at C:\Users\YOU
2. Right click on .ssh/ folder to open context menu
3. Under Give access to... sub-menu, select Remove access
4. Done!

Now try to log back in to your remote computer using ssh!

Hope it helps someone!

answered May 15, 2020 at 23:15

3

How do I change SSH key permissions?

What should permissions be for SSH keys?

How do I change private key permissions in Windows?

How do I change key permissions?