Windows SSH: Permissions for 'private-key' are too open

Question

I've OpenSSH 7.6 installed in Windows 7 for testing purposes. SSH client & server work just fine till I tried to access one of my AWS EC2 box from this windows.

It seems like I need to change the permission on the private key file. This can be easily done on unix/linux with chmod command.

What about windows?

private-key.ppm is copied directly from AWS and I guess the permission too.

C:\>ssh -V
OpenSSH_7.6p1, LibreSSL 2.5.3

C:\>ver

Microsoft Windows [Version 6.1.7601]

C:\>


C:\>ssh ubuntu@192.168.0.1 -i private-key.ppk
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'private-key.ppk' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "private-key.ppk": bad permissions
ubuntu@192.168.0.1: Permission denied (publickey).

C:\>
C:\>
C:\>ssh ubuntu@192.168.0.1 -i private-key.ppm
Warning: Identity file private-key.ppm not accessible: No such file or directory.
ubuntu@192.168.0.1: Permission denied (publickey).

C:\>

Answer 1

You locate the file in Windows Explorer, right-click on it then select "Properties". Navigate to the "Security" tab and click "Advanced".

Change the owner to you, disable inheritance and delete all permissions. Then grant yourself "Full control" and save the permissions. Now SSH won't complain about file permission too open anymore.

It should end up looking like this:

Answer 2

Keys must only be accessible to the user they're intended for and no other account, service, or group.

• GUI:
  [File] Properties → Security → Advanced
  1. Owner: Change → Select a principal → Enter key's user → OK
  2. Permission Entries: Remove all except for the key's user
  3. Set key's user to Full Control if not already set
     1. Select user → Modify → Full Control → OK
        OR
     2. Add → Select a principal → Enter key's user → OK
  4. OK → OK
     
     
• Cmd:

  ::# Set Key File Variable:
      Set Key="%UserProfile%\.ssh\id_rsa"
  
  ::# Remove Inheritance:
      Icacls %Key% /c /t /Inheritance:d
  
  ::# Set Ownership to Owner:
      :: # Key's within %UserProfile%:
           Icacls %Key% /c /t /Grant %UserName%:F
  
      :: # Key's outside of %UserProfile%:
           TakeOwn /F %Key%
           Icacls %Key% /c /t /Grant:r %UserName%:F
  
  ::# Remove All Users, except for Owner:
      Icacls %Key% /c /t /Remove:g "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users
  
  ::# Verify:
      Icacls %Key%
  
  ::# Remove Variable:
      set "Key="
  

  
  
• PowerShell:

  # Set Key File Variable:
    New-Variable -Name Key -Value "$env:UserProfile\.ssh\id_rsa"
  
  # Remove Inheritance:
    Icacls $Key /c /t /Inheritance:d
  
  # Set Ownership to Owner:
    # Key's within $env:UserProfile:
      Icacls $Key /c /t /Grant ${env:UserName}:F
  
     # Key's outside of $env:UserProfile:
       TakeOwn /F $Key
       Icacls $Key /c /t /Grant:r ${env:UserName}:F
  
  # Remove All Users, except for Owner:
    Icacls $Key /c /t /Remove:g Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users
  
  # Verify:
    Icacls $Key
  
  # Remove Variable:
    Remove-Variable -Name Key
  

Answer 3

In addition to the answer provided by ibug. Since i was using the ubuntu system inside windows to to run the ssh command. It still was not working. So i did

sudo ssh ...

and then it worked

Answer 4

I had a similar issue but I was at work and don't have the ability to change file permissions on my work computer. What you need to do is install WSL then copy the your key to the hidden ssh directory in WSL:

cp <path to your key> ~/.ssh/<name of your key>

Now you should be able to modify the permissions normally.

sudo chmod 600 ~/.ssh/<your key's name>

Then ssh using WSL:

ssh -i ~/.ssh/<name of your key> <username>@<ip address>

Answer 5

You just need to do at least four things:

1. Disable inheritance

2. Convert inherited permissions to explicit permissions

3. Remove Users group

4. You will end up with no Users can access private files, this should be enough to add id_rsa.

Answer 6

use below command on your key it works on windows

icacls .\private.key /inheritance:r
icacls .\private.key /grant:r "%username%":"(R)"

Answer 7

You can use icacls in Windows instead of chmod to adjust file permission. To give the current user read permission and remove everything else:

Icacls <file name> /Inheritance:r
Icacls <file name> /Grant:r "%Username%":"(R)"

Answer 8

This seems to be related to the version of OpenSSH you're running:

• where ssh returns:

  %WinDir%\System32\OpenSSH\ssh.exe
  %ProgramFiles%\Git\usr\bin\ssh.exe
  

  ssh -V returns:

  # %WinDir%\System32\OpenSSH\ssh.exe
    OpenSSH_7.5p1, without OpenSSL
  
  # %ProgramFiles%\Git\usr\bin\ssh.exe
    OpenSSH_7.3p1, OpenSSL 1.0.2k  26 Jan 2017
  

When running ..\Git\usr\bin\ssh.exe, it works fine and doesn't complain about the permissions, but running ..\OpenSSH\ssh.exe comes back with the following, even though key ACLs are Full Access for myself and nothing else:

load key "t:\mykeys\rich-private.ppk": invalid format
  banana@127.0.0.127: Permission denied (publickey).

Answer 9

Here's the way to do it using Microsoft's tooling, avoiding the problem from the get-go. But it should also fix the issue, meaning you can follow these instructions with existing keys.

Start PowerShell/Terminal as Administrator and run the following:

Install-Module -Force OpenSSHUtils -Scope AllUsers

# Make sure the service isn't disabled
Get-Service -Name ssh-agent | Set-Service -StartupType Manual

# We need this service as ssh-add depends on it
Start-Service ssh-agent

cat ~\.ssh\example-key.ecdsa | ssh-add -k -

Answer 10

This is just a scripted version of @JW0914's CLI answer, so upvote him first and foremost:

# DO the following in powerhsell if not already done:
# Set-ExecutionPolicy RemoteSigned


# NOTE: edit the path in this command if needed
$sshFiles=Get-ChildItem -Path "$env:userprofile\.ssh" -Force

$sshFiles | % {
  $key = $_
  & icacls $key /c /t /inheritance:d
  & icacls $key /c /t /grant  "${echo $env:username}":F
  & icacls $key /c /t /remove Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users
}

# Verify:
$sshFiles | % {
  icacls $_
}

Answer 11

A single line in CMD might do the trick; as described here, adding the key from stdin instead of changing the permissions:

cat /path/to/permission_file | ssh-add -k 

To check key has been added:

ssh-add -l

Answer 12

1. Copy the public and private keys to %userprofile%\.ssh
2. Use the batch script below after finding your keys from the cmd prompt with where *.pub:

   Md %Userprofile%\.ssh
     Copy PublicKey %Userprofile%\.ssh
     Copy PrivateKey %Userprofile%\.ssh
   
   Cd %Userprofile%\.ssh
     Icacls .\PublicKey  /Inheritance:r
     Icacls .\PrivateKey /Inheritance:r
     Icacls .\PublicKey  /Grant:r "%Username%":"(F)"
     Icacls .\PrivateKey /Grant:r "%Username%":"(F)"
   

3. Right-click each file → Properties → Security:
   Remove everyone except the user, setting the permissions for the user to Read

Answer 13

I couldn't get any of these answers working for me due to permission issues, so I'll share my solution:

1. Go to %UserProfile%\.ssh
2. Copy and paste id_rsa, rename it to something else [example]
3. Open the renamed file [example] and replace the key with your own private key
4. cd to that directory
5. Enter your passphrase after issuing: ssh -i example example@127.0.0.1

Answer 14

1. Download and unzip OpenSSH-Win64.zip (or Win32, depending on your system)
2. Execute FixUserFilePermissions.ps1 in PowerShell with administrator privilege

Answer 15

Use Mingw-w64.

Infos: http://mingw-w64.org/doku.php

Download with Git for Windows, or directly.

Available here: https://github.com/mirror/mingw-w64

git clone https://github.com/mirror/mingw-w64

It also has other useful Linux commands like tar and gzip.

Answer 16

Answer by iBug works fine! You can follow that and get rid of this issue.

But there are few things which are needed to be cleared as I faced issues during setting up permissions and it took few minutes for me to figure out the problem!

Following iBug's answer, you'll remove all the permissions but how do you set Full Control permission to yourself? that's where I got stuck at first as I didn't knew how to do that.

After Disabling Inheritance, you'll be able to delete all allowed users or groups.

Once Done with that,

Click on Add then click on Set a Principal then enter System and Administrators and your email addredd in the field at bottom then click on check names.

It'll load the name if user exists. Then, Click on OK > Type Allow > Basic Permisisons Full Control > Okay

This will setup Full Control permission to SYSTEM, Administrators and Your User.

After that try to ssh using that key. It should be solved now.

I had same issue and I solved that using this method. If there's any user or group with that name then it'll load that.

-Screenshots-

Permission Entries Select a Principal/ Select User or Groups

Answer 17

I'm a Window user, using the Windows's bash and followed all the steps to set permission using Windows GUI, and it still doesn't work and it complains:

Permissions 0555 for 'my_ssh.pem' are too open.
It is required that your private key files are NOT accessible by others.

The I added sudo at the front of the ssh command and it just works. Hope this is helpful to others.

Answer 18

I had the same problem on Windows 10, and it arouse when I created a second user account on my machine.

Since that new user was also an administrator and It had access to my user folder, I did these steps to limit the access on my .ssh folder and it worked!

1. Navigate to your user folder at C:\Users\YOU
2. Right click on .ssh/ folder to open context menu
3. Under Give access to... sub-menu, select Remove access
4. Done!

Now try to log back in to your remote computer using ssh!

Hope it helps someone!