I've OpenSSH 7.6 installed in Windows 7 for testing purposes. SSH client & server work just fine till I tried to access one of my AWS EC2 box from this windows.

It seems like I need to change the permission on the private key file. This can be easily done on unix/linux with chmod command.

What about windows?

private-key.ppm is copied directly from AWS and I guess the permission too.

C:\>ssh -V
OpenSSH_7.6p1, LibreSSL 2.5.3


Microsoft Windows [Version 6.1.7601]


C:\>ssh ubuntu@ -i private-key.ppk
Permissions for 'private-key.ppk' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "private-key.ppk": bad permissions
ubuntu@ Permission denied (publickey).

C:\>ssh ubuntu@ -i private-key.ppm
Warning: Identity file private-key.ppm not accessible: No such file or directory.
ubuntu@ Permission denied (publickey).

Martin Prikryl
  • 21,071
  • 9
  • 77
  • 157
  • 5,083
  • 8
  • 15
  • 25

18 Answers18


You locate the file in Windows Explorer, right-click on it then select "Properties". Navigate to the "Security" tab and click "Advanced".

Change the owner to you, disable inheritance and delete all permissions. Then grant yourself "Full control" and save the permissions. Now SSH won't complain about file permission too open anymore.

It should end up looking like this:

enter image description here

  • 567
  • 1
  • 5
  • 13
  • 10,304
  • 7
  • 37
  • 70
  • 5
    I'd just like to add **1)** This method works on my Windows 10 (`10.0.17134.191`) box w/Cygwin ver `CYGWIN_NT-10.0-WOW 2.3.1(0.291/5/3) 2015-11-14 12:42` and ssh ver `OpenSSH_for_Windows_7.6p1, LibreSSL 2.6.4`, and **2)** Thanks! @iBug! – atreyu Jul 28 '18 at 15:10
  • IF the key file is on Thumb Drive / Flash disk, that Security tab is not available! – Dylan B Aug 14 '18 at 08:11
  • @DylanB Why'd you put credentials on a removable drive? (In fact, that tab is available only on NTFS filesystems - you can format your drive into NTFS easily). – iBug Aug 14 '18 at 09:53
  • 45
    Actually, I did that and it still complains that 0777 permissions are too open. – Aaron Bramson Sep 04 '18 at 08:25
  • 94
    Why is this so difficult on windows, can someone just add a --ignore-stupid-rule command option? – Liam Mitchell Dec 20 '18 at 20:57
  • How do you "change the owner to yourself", what do I type in? It doesn't accept my username or name or windows live email or anything. – stackers Feb 10 '19 at 21:17
  • 1
    Stupid, i don't have the permessions to do that..-_- – Kuronashi Nov 29 '19 at 12:15
  • Thanks a lot! This worked while everything on the internet had failed me until now. – Sergio Prats Feb 11 '20 at 23:26
  • 3
    I still get: `Permissions 0770 are too open` – Buntel May 13 '20 at 21:17
  • 1
    Doesn't work on Windows 10 – Toolkit Oct 16 '20 at 06:22
  • Works for me on Windows 10. When I typed in "Owner", it didn't work. When I typed in my e-mail address, it started working. – Draex_ Nov 07 '20 at 19:10
  • 1
    Wasn't working for me on windows, was the same error still after setting these permissions, both trying with windows GUI and with `chmod`, then I just did `sudo` and all was fine – Issung Jan 21 '21 at 22:27
  • worked for me in window 10 – nshathish Mar 17 '21 at 21:40
  • 1
    This did not work for me. After setting the permissions as described I get the exact same error, so I also tried `sudo chmod 400 id_rsa` and it still gives the same error. This is such a stupid check. At this point I am the only person who can access the file but ssh-keygen still refuses to work just because of how it retrieves the file permissions. – bikeman868 Aug 21 '21 at 00:57
  • I'm amazed to see this answer receive its first downvote after nearly 4 years. Nice try, downvoter. – iBug Jan 08 '22 at 09:36
  • 1
    Moving the .pem file to a OneDrive location worked perfectly for me - easy, and now I have a cloud backup :) It does do all of the above permissions changes. I'd add this as a new answer, as it seems so simple, but would rather comment and upvote yours so my little answer isn't lost in the shuffle. – J. Gwinner Mar 07 '22 at 22:10
  • It worked for me. I had to pay attention to selecting the correct username (I have many on my PC). As a side note, ticking "full control" is not needed, I managed to use my SSH key with just "read" access. – Sovattha Sok Mar 13 '22 at 22:06
  • 1
    Such a simple solution by @J.Gwinner works beautifully by moving file to OneDrive location. – prinkpan Apr 13 '22 at 16:51
  • Just disabling inheritance and deleting permissions for all but myself fixed it – endolith Jun 12 '22 at 17:13
  • `cp ~/.ssh/` works for me – Junaid Anwar Jan 16 '23 at 09:17
  • You had me at disable inheritance – serup May 02 '23 at 07:05
  • Worked for me. Thanks. – Devashish Prasad Jun 22 '23 at 14:09

Keys must only be accessible to the user they're intended for and no other account, service, or group.

  • GUI:
    [File] PropertiesSecurityAdvanced
    1. Owner: Change → Select a principal → Enter key's user → OK
    2. Permission Entries: Remove all except for the key's user
    3. Set key's user to Full Control if not already set
      1. Select user → Modify → Full Control → OK
      2. Add → Select a principal → Enter key's user → OK
    4. OK → OK

  • Cmd:
    ::# Set Key File Variable:
        Set Key="%UserProfile%\.ssh\id_rsa"
    ::# Remove Inheritance:
        Icacls %Key% /c /t /Inheritance:d
    ::# Set Ownership to Owner:
        :: # Key's within %UserProfile%:
             Icacls %Key% /c /t /Grant %UserName%:F
        :: # Key's outside of %UserProfile%:
             TakeOwn /F %Key%
             Icacls %Key% /c /t /Grant:r %UserName%:F
    ::# Remove All Users, except for Owner:
        Icacls %Key% /c /t /Remove:g "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users
    ::# Verify:
        Icacls %Key%
    ::# Remove Variable:
        set "Key="

  • PowerShell:
    # Set Key File Variable:
      New-Variable -Name Key -Value "$env:UserProfile\.ssh\id_rsa"
    # Remove Inheritance:
      Icacls $Key /c /t /Inheritance:d
    # Set Ownership to Owner:
      # Key's within $env:UserProfile:
        Icacls $Key /c /t /Grant ${env:UserName}:F
       # Key's outside of $env:UserProfile:
         TakeOwn /F $Key
         Icacls $Key /c /t /Grant:r ${env:UserName}:F
    # Remove All Users, except for Owner:
      Icacls $Key /c /t /Remove:g Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users
    # Verify:
      Icacls $Key
    # Remove Variable:
      Remove-Variable -Name Key
  • 7,052
  • 7
  • 27
  • 48
  • What if the owner is actually a group? In my case, I have a file owned by `network service` so Cygwin thinks the permission is 0770 instead of 0700. – hyspace Nov 12 '18 at 21:29
  • A file must be owned by a user and a group, not just a group. Group permissions are the 3rd octal [user is the 2nd] in a four octal specification and SSH keys cannot be group or others accessible – JW0914 Nov 13 '18 at 03:16
  • That is the case of Unix. In Windows, `network service` can own a file and it is a group – hyspace Nov 13 '18 at 18:40
  • Cygwin allows POSIX API functionality on Windows, but it still operates under the rules of the native UNIX based programs (hence 3 & 4 octal permissions in a UGO setup). While you can open an issue on Microsoft's Win32-OpenSSH's GitHub, since SSH keys must be group and others _inaccessible_, having ownership in the way you describe is likely not supported. It's better to conform to a program's norm than attempt to configure it in a [likely] non-supported way. – JW0914 Nov 16 '18 at 13:52
  • 17
    this should be correct answer. Thanks for CLI options. GUI always sucks in windows case. – shyammakwana.me Apr 30 '19 at 20:51
  • Thanks for the CLI example! In my case I had to add another thing in the remove action: "NT Authority\Authenticated Users". – botismarius Jun 14 '19 at 09:35
  • @botismarius Was the key in a folder other than the `%UserProfile%` or `.ssh` directory (`%UserProfile%\.ssh`)? IIRC `Authenticated Users` should not have default access to `%UserProfile%`; nonetheless, I have edited the answer to include `Authenticated Users` in the removal command. – JW0914 Jun 14 '19 at 11:11
  • @JW0914 indeed, my file was outside of %UserProfile% folder. – botismarius Jun 15 '19 at 13:26
  • Can you edit your answer and clarify if the CLI "path to key" should be the .ssh dir, the id_rsa, the .pub, or a .ppk? – Jonathan Aug 31 '20 at 01:51
  • @Jonathan I had assumed it was clear that should be the key file's path, however I do understand how the confusion can occur and have edited accordingly. – JW0914 Aug 31 '20 at 12:20
  • @JW0914 which one of those is the key file? The public key? Or the private key? Or the ppk pair? – Jonathan Sep 02 '20 at 01:47
  • @Jonathan The private key - the public portion is shared, the private portion should never be. – JW0914 Sep 02 '20 at 01:49
  • doesn't work on Windows 10 – Toolkit Oct 16 '20 at 06:24
  • @Toolkit it was verified yesterday to work and has worked for 2yrs - what step exactly are you having an issue with? If you're using the CLI method, is the SSH key outside of the correct directory it's supposed to be in [`%UserProfile%\.ssh`]? – JW0914 Oct 16 '20 at 08:44
  • the key is NOT supposed to be anywhere specific. Anyway I used https://superuser.com/a/1356410/365776 – Toolkit Oct 16 '20 at 12:21
  • @Toolkit The CLI portion of this answer is for the _default_ location of where SSH keys normally are, which is `~/.ssh` || `$env:UserProfile\.ssh` || `%UserProfile%\.ssh`, so if the key was outside of the default directory, then the CLI method as written will need modification _(covered in comments 7 - 9)_, GUI method works regardless. If you follow that answer, you may want to research why that method is _never_ recommended _(I explain at length in two comments under that answer)_ - it's your data you're risking compromising. **If it's worth doing, it's worth doing correctly the first time.** – JW0914 Oct 16 '20 at 12:31
  • Works fine: I just remove all inheritances and then grant full control to the associated user. – Rafs Jan 15 '21 at 12:38
  • Not working on Powershell. you should add "for cmd" – ー PupSoZeyDe ー Apr 21 '21 at 09:03
  • @pupsozeyde It does work on Powershell, that's why each command is prefaced with `cmd /c`, however it appears I forgot to preface the variable command, which I've fixed. Thanks for bringing that to my attention =] – JW0914 Apr 21 '21 at 12:24
  • 2
    On Windows10 I get `Invalid parameter "/grant"` I had to add :r **with a space** `Icacls $Key /c /t /grant :r $env:UserName:F` – Daniel Pinyol Aug 19 '21 at 09:08
  • @DanielPinyol Thanks for pointing that out =] The reason for the error you mention is I forgot to encompass the environment variable in curly brackets: `${env:UserName}:F`. Unless the key is outside of the User Profile, `:r` is unnecessary, as the default owner is the user within the User Profile, however that made me realize I didn't address ownership outside the User Profile and have added that, and the variable correction, to the answer. – JW0914 Aug 20 '21 at 12:48
  • The Powershell option worked like a charm for me. I tried first with the GUI and that didn't work. – geekly Sep 07 '22 at 14:03
  • Permissions granted to `NT Authority\System` and `BUILTIN\Administrators` can be left – unlikely Dec 04 '22 at 09:50
  • The GUI version worked for me, but your explanation is a bit vague on the details. The answer by Artur Mustafin was helpful in this regard. (https://superuser.com/a/1406582/1035276) – Michael Sohnen Dec 31 '22 at 00:14

In addition to the answer provided by ibug. Since i was using the ubuntu system inside windows to to run the ssh command. It still was not working. So i did

sudo ssh ...

and then it worked

Parv Sharma
  • 731
  • 5
  • 5
  • 5
    `sudo` should not be utilized to open an SSH session as it's a security risk. The only time _(at least that I'm aware of)_ root's account should be utilized to open an SSH session is on single-user systems _(i.e. normally found on router OS's [OpenWrt, DD-WRT, etc.] and other embedded systems)_. SSH keys **must** be accessible only to the user they're for and no other account, service, or group. – JW0914 May 27 '19 at 18:03
  • @JW0914 LOL I have a single-user Debian server and the sole (login) user is root. I don't think an extra non-root user is beneficial because it's my personal server and I login only when performing maintenance work. – iBug Oct 28 '19 at 05:12
  • @iBug Please re-read my comment, as it appears you entirely missed the second sentence... – JW0914 Oct 28 '19 at 12:02
  • 7
    Best answer. When using ubuntu shell on Windows, the advise about safety of the root access is totally irrelevant – Dmitry Torba Apr 05 '20 at 01:19
  • 3
    @DmitryTorba Please explain, as that makes zero sense and is factually inaccurate. – JW0914 Jun 27 '20 at 10:51
  • 5
    This worked for me. I did the above solutions and was still getting the 0077 warning but this fixed it. – Timaayy Sep 07 '20 at 22:07
  • 2
    @TimotheeLegros That's because you're running the SSH session as `root` **which is never recommended as it's a security risk** _(the only exception is on a single user OS, which Ubuntu is not)_. I explained this in the first comment and a simple Google search can provide real world examples of why this should never be done. You must copy the SSH keys from Windows to WSL if you want the files to have UGO permissionsz else they'll still have Windows ACLs. _**If it's worth doing, it's worth doing right the first time_** – JW0914 Oct 16 '20 at 08:57
  • Ya, I realized that not long after I posted my comment, should have updated that I fixed the issue without root - thanks – Timaayy Oct 16 '20 at 20:36
  • 1
    Best Answer for WSL – Christlin Panneer Feb 16 '21 at 15:34
  • you nailed it... – lalithkumar Jul 04 '23 at 17:48
  • what part of *WINDOWS* ssh you didn't comprehend ?!? there is no sudo in windows ... also, for the rest of the comments, Cygwin is better than WLS, but I wanna keep things simple, not to run 9438759432608729 other programs when windows has now ssh by default – THESorcerer Sep 01 '23 at 09:32
  • @THESorcerer - kindly read https://www.reddit.com/r/linux/comments/10x8mcw/is_there_any_advantage_to_wsl_over_cygwin/ basically cygwin and wsl are two different things – Parv Sharma Sep 03 '23 at 04:55

I had a similar issue but I was at work and don't have the ability to change file permissions on my work computer. What you need to do is install WSL then copy the your key to the hidden ssh directory in WSL:

cp <path to your key> ~/.ssh/<name of your key>

Now you should be able to modify the permissions normally.

sudo chmod 600 ~/.ssh/<your key's name>

Then ssh using WSL:

ssh -i ~/.ssh/<name of your key> <username>@<ip address>
  • 53,069
  • 19
  • 162
  • 212
  • 581
  • 4
  • 2
  • 2
    Best answer here. – Raiden Core Aug 31 '20 at 14:42
  • +1 - this appears to be the working solution for Windows Terminal / WSL1+2 users. I also did a `chown` for good measure and used `sudo ssh` and I was able to connect. – alex Sep 17 '20 at 14:37
  • At least in Linux and Mac the ssh final part is not necessary, chmod 600 on the ppk file and then sftp connection works. see https://stackabuse.com/how-to-fix-warning-unprotected-private-key-file-on-mac-and-linux/ – Dr Potato Mar 24 '21 at 15:07
  • THANK YOU, this was making me absolutely miserable, you've restored my faith in humanity and made me a better dev – Ben Saunders Apr 20 '21 at 20:34
  • 2
    Git-Bash would also do the job straight out-of-the-box. – Param Siddharth Sep 01 '21 at 05:03

You just need to do at least four things:

  1. Disable inheritance

enter image description here

  1. Convert inherited permissions to explicit permissions

enter image description here

  1. Remove Users group

enter image description here

  1. You will end up with no Users can access private files, this should be enough to add id_rsa.

enter image description here

Matthew Lock
  • 4,671
  • 2
  • 35
  • 44
Alan Turing
  • 454
  • 4
  • 5

use below command on your key it works on windows

icacls .\private.key /inheritance:r
icacls .\private.key /grant:r "%username%":"(R)"
Walter Ferrao
  • 265
  • 2
  • 2
  • 4
    NB: These commands must be issued within a command window (CMD.EXE). The second command line would not work for me in a PowerShell command window; it would produce an error message saying 'Invalid parameter "%username%"', even though the environment variable USERNAME is defined an has the correct value. Also, after I invoked these two icacls commands on my RSA private key file, I continue to get the "bad permissions" error message when I invoke ssh in a PowerShell window. – Jim Fischer Aug 27 '20 at 20:18
  • 1
    doesn't worth either, still gives "Permissions for '' are too open." – Matthew Lock Aug 15 '21 at 07:03
  • 1
    a Non-administrator cmd.exe prompt – Jeremy Hajek Aug 20 '21 at 02:09
  • 1
    results in: -r--r--r-- 1 xxx xxx xxx xxxxxxxx id_rsa but we want -rwx------ – rundekugel Jan 24 '22 at 09:37

You can use icacls in Windows instead of chmod to adjust file permission. To give the current user read permission and remove everything else:

Icacls <file name> /Inheritance:r
Icacls <file name> /Grant:r "%Username%":"(R)"
  • 7,052
  • 7
  • 27
  • 48
  • 167
  • 1
  • 4

This seems to be related to the version of OpenSSH you're running:

  • where ssh returns:
    ssh -V returns:
    # %WinDir%\System32\OpenSSH\ssh.exe
      OpenSSH_7.5p1, without OpenSSL
    # %ProgramFiles%\Git\usr\bin\ssh.exe
      OpenSSH_7.3p1, OpenSSL 1.0.2k  26 Jan 2017

When running ..\Git\usr\bin\ssh.exe, it works fine and doesn't complain about the permissions, but running ..\OpenSSH\ssh.exe comes back with the following, even though key ACLs are Full Access for myself and nothing else:

load key "t:\mykeys\rich-private.ppk": invalid format
  banana@ Permission denied (publickey).
  • 7,052
  • 7
  • 27
  • 48
Rich S
  • 343
  • 2
  • 7
  • OpenSSH should not be installed to the Windows directory for whole host of reasons, from security, to it being a massive inconvenience should one need to fix a corrupted Windows directory either via `DISM` or using the Reset option _(which has been improved to utilize the WinSxS directory versus reverting to the original `install.esd`)_. – JW0914 Jul 09 '18 at 19:40
  • This is what helped me, I never got the windows ssh version to work in this scenario, only Git's :( – guychouk Mar 07 '19 at 00:27
  • This was also the fix for me. It seems Windows 10 Pro now bundles a pooched version of openssh. I was forced to remove the C:\Windows\System32\OpenSSH folder and add git's ssh.exe to PATH. – Shukri Adams May 23 '19 at 16:45
  • This "fixed" it for me, using C:\Program Files\Git\usr\bin\ssh.exe works as C:\Windows\System32\OpenSSH\ssh.exe does not – smartins Nov 12 '19 at 09:12
  • 2
    The error message is due to using an invalid key format [a PuTTY key], as OpenSSH doesn't support PuTTY keys _(they must be converted first via PuTTYgen → Conversions)_ – JW0914 Jun 29 '20 at 12:57
  • Aweseome thank you! – m.w. May 24 '22 at 12:26

Here's the way to do it using Microsoft's tooling, avoiding the problem from the get-go. But it should also fix the issue, meaning you can follow these instructions with existing keys.

Start PowerShell/Terminal as Administrator and run the following:

Install-Module -Force OpenSSHUtils -Scope AllUsers

# Make sure the service isn't disabled
Get-Service -Name ssh-agent | Set-Service -StartupType Manual

# We need this service as ssh-add depends on it
Start-Service ssh-agent

cat ~\.ssh\example-key.ecdsa | ssh-add -k -
Louis Waweru
  • 23,945
  • 39
  • 132
  • 198
  • 1
    Holy moly, this actually worked for me, after MUCH frustration (even though I encountered errors with the `Install-Module` step). I am eternally grateful. – Gershy Dec 02 '21 at 20:38
  • 1
    @Gershy thanks for letting me know! I thought it’s a nice progression for the platform and was sorry to see it stuck at 0 people finding it useful. One is enough for me :) – Louis Waweru Dec 16 '21 at 07:48
  • Can't even find the `-k` switch in the `ssh-add` man page... **edit**: Found it in the Arch-version: https://man.archlinux.org/man/ssh-add.1.en – toraritte Jan 08 '23 at 20:46
  • OpenSSHUtils has been deprecated :( – Francisco Tena Feb 12 '23 at 19:08

This is just a scripted version of @JW0914's CLI answer, so upvote him first and foremost:

# DO the following in powerhsell if not already done:
# Set-ExecutionPolicy RemoteSigned

# NOTE: edit the path in this command if needed
$sshFiles=Get-ChildItem -Path "$env:userprofile\.ssh" -Force

$sshFiles | % {
  $key = $_
  & icacls $key /c /t /inheritance:d
  & icacls $key /c /t /grant  "${echo $env:username}":F
  & icacls $key /c /t /remove Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users

# Verify:
$sshFiles | % {
  icacls $_
  • 7,052
  • 7
  • 27
  • 48
  • 316
  • 3
  • 9

A single line in CMD might do the trick; as described here, adding the key from stdin instead of changing the permissions:

cat /path/to/permission_file | ssh-add -k 

To check key has been added:

ssh-add -l
  • 7,052
  • 7
  • 27
  • 48
  • 121
  • 2
  1. Copy the public and private keys to %userprofile%\.ssh
  2. Use the batch script below after finding your keys from the cmd prompt with where *.pub:
    Md %Userprofile%\.ssh
      Copy PublicKey %Userprofile%\.ssh
      Copy PrivateKey %Userprofile%\.ssh
    Cd %Userprofile%\.ssh
      Icacls .\PublicKey  /Inheritance:r
      Icacls .\PrivateKey /Inheritance:r
      Icacls .\PublicKey  /Grant:r "%Username%":"(F)"
      Icacls .\PrivateKey /Grant:r "%Username%":"(F)"
  3. Right-click each file → Properties → Security:
    Remove everyone except the user, setting the permissions for the user to Read
  • 7,052
  • 7
  • 27
  • 48
  • 2
    Isn't the point of the script to avoid the last step? I don't understand – Ramhound Apr 18 '20 at 02:22
  • To piggyback on @Ramhound's comment, how does this answer differ from at least four other answers showing the exact same thing via the GUI, CLI, and screenshots? – JW0914 Jul 02 '20 at 11:55

I couldn't get any of these answers working for me due to permission issues, so I'll share my solution:

  1. Go to %UserProfile%\.ssh
  2. Copy and paste id_rsa, rename it to something else [example]
  3. Open the renamed file [example] and replace the key with your own private key
  4. cd to that directory
  5. Enter your passphrase after issuing: ssh -i example example@
  • 7,052
  • 7
  • 27
  • 48
  • 111
  • 3
  • Please elaborate on _"I couldn't get any of these answers working for me due to permission issues..."_, as there's at least four previous answers that permanently resolve permissions issues. – JW0914 Jul 02 '20 at 11:39
  • @JW0914 Unfortunately I cannot recall the cause of my problem a month ago, much less 5 months ago. – isopach Jul 02 '20 at 12:05
  • At least four other answers provide the exact same, or more, information that is in this answer, and it's simply not possible for any permissions issues to occur if any of those four answers were followed. – JW0914 Jul 02 '20 at 12:16
  • @JW0914 You've already downvoted my answer man, what more do you want? – isopach Jul 02 '20 at 12:18
  • The downvote wasn't intentional and was removed after a short delay due to losing my WiFi connection _(it was intended for the [answer](https://superuser.com/a/1505117/529800) that was above yours)_, – JW0914 Jul 02 '20 at 12:20
  • 1
    The other options here did not work for me either (tried both through the GUI and multiple `icacls` methods). Comparing a working id_rsa file to one that it complained about (claimed 770 permissions), the permissions as shown in Windows were *identical*. A simple copy and paste in Explorer seemed to reset the permissions so did not work, but by using `ROBOCOPY /COPYSEC` (from an elevated command prompt) I was able to make a copy of a working key file, edit it to insert my new private key, and then this error went away. – Jimbly Sep 10 '20 at 22:33
  • 1
    This solved my problem – 時雨初 Mar 23 '22 at 07:54
  1. Download and unzip OpenSSH-Win64.zip (or Win32, depending on your system)
  2. Execute FixUserFilePermissions.ps1 in PowerShell with administrator privilege
  • 7,052
  • 7
  • 27
  • 48
  • 1
    The `FixUserFilePermissions.ps1` script doesn't fix all permissions issues; for example, it will not fix permissions issues for an admin account that wouldn't be using `%UserProfile%\.ssh` _(IIRC, an issue was opened for this - as of this writing, this has not been addressed in `FixUserFilePermissions.ps1`)_. The only way to guarantee correct file permissions is to use `icacls` _(as of this writing)_. – JW0914 Jul 02 '20 at 12:05

Use Mingw-w64.

Infos: http://mingw-w64.org/doku.php

Download with Git for Windows, or directly.

Available here: https://github.com/mirror/mingw-w64

git clone https://github.com/mirror/mingw-w64

It also has other useful Linux commands like tar and gzip.

  • 760
  • 5
  • 11
  • How exactly does this even apply to the question being asked? – JW0914 Jul 02 '20 at 11:57
  • @JW0914 It works around the issue. SSH with Mingw-w64 doesn't look at the key permissions and will allow you to connect with a machine readable key file. – Dallas Clarke Jul 03 '20 at 00:53
  • _What you're suggesting is simply **insecure** and would **never** be recommended_. SSH keys should only be accessible by the user they belong too and no other user, group, or service... doing so negates the purpose of an SSH key. Please google the error message in the question or refer directly to OpenSSH's [man pages](https://www.openssh.com/manual.html). – JW0914 Jul 03 '20 at 11:20

Answer by iBug works fine! You can follow that and get rid of this issue.

But there are few things which are needed to be cleared as I faced issues during setting up permissions and it took few minutes for me to figure out the problem!

Following iBug's answer, you'll remove all the permissions but how do you set Full Control permission to yourself? that's where I got stuck at first as I didn't knew how to do that.

After Disabling Inheritance, you'll be able to delete all allowed users or groups.

Once Done with that,

Click on Add then click on Set a Principal then enter System and Administrators and your email addredd in the field at bottom then click on check names.

It'll load the name if user exists. Then, Click on OK > Type Allow > Basic Permisisons Full Control > Okay

This will setup Full Control permission to SYSTEM, Administrators and Your User.

After that try to ssh using that key. It should be solved now.

I had same issue and I solved that using this method. If there's any user or group with that name then it'll load that.


Permission Entries Select a Principal/ Select User or Groups

  • 101
  • 1
  • How does this answer differ from at least four other answers showing the exact same thing via the GUI, CLI, and screenshots? – JW0914 Jul 02 '20 at 12:14
  • The answer I followed was causing issues which I clarified properly here(probably)! I wrote this 1.5 years ago! (Luckily I moved to Linux just a month after that) Exact same thing can be done in many ways obviously but that doesn't mean one shouldn't mention the other way round. – lazycipher Jul 05 '20 at 19:08

I'm a Window user, using the Windows's bash and followed all the steps to set permission using Windows GUI, and it still doesn't work and it complains:

Permissions 0555 for 'my_ssh.pem' are too open.
It is required that your private key files are NOT accessible by others.

The I added sudo at the front of the ssh command and it just works. Hope this is helpful to others.

  • But do you login to the server as yourself or as root? – G-Man Says 'Reinstate Monica' Nov 26 '19 at 06:56
  • I run the Window bash terminal as myself, but I did 'Run as adminstrator' when I launch the Bash. – Alex Ramses Nov 26 '19 at 08:13
  • `sudo` should not be used for an SSH session _(please use a search engine to understand why - it's a security risk)_ and you're receiving the error because the permissions [`0555`] are incorrect. On BSD/Linux, the UGO privs _must_ be `600` or `400`. If you're trying to copy your key from Windows to WSL, this is _not_ possible due to how the ACLs are set and maintained between Windows and WSL; instead, copy/paste the key's contents into a new file on WSL. – JW0914 Jul 02 '20 at 12:12

I had the same problem on Windows 10, and it arouse when I created a second user account on my machine.

Since that new user was also an administrator and It had access to my user folder, I did these steps to limit the access on my .ssh folder and it worked!

  1. Navigate to your user folder at C:\Users\YOU
  2. Right click on .ssh/ folder to open context menu
  3. Under Give access to... sub-menu, select Remove access
  4. Done!

Now try to log back in to your remote computer using ssh!

Hope it helps someone!

  • 3
    How does this differ from the other answers which indicates the key permissions must be modified to only include the one user that intends to use. – Ramhound May 15 '20 at 23:21
  • it seemed a little more straight forward, so I thought I share it. – khalifmahdi May 16 '20 at 00:14
  • @khalifmahdi How exactly is this more straightforward? Two answers provide screenshots, whereas at least two others provide copy/paste commands for a terminal – JW0914 Jul 02 '20 at 12:13