42

I am attempting to do a simple connection to a SSH server using OpenSSH for Windows using a private key, and am met with this:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'private' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "private": bad permissions

On Linux, this is fixed with a simple chmod 600 on the private key file, however Windows does not have an equivalent method.

This sounds like something that should be pretty easy, but I am completely unable to find any reasonable solution to it. Is there a way to either add the private key directly without going through a file, or to skip this privacy check? Or am I missing something else entierly?

Excludos
  • 1,380
  • 1
  • 12
  • 24
  • 1
    Stackoverflow is for help with software development. You should consider asking this on [su] instead of here. – Kenster Feb 20 '18 at 15:53
  • 'On Linux, this is fixed with a simple chmod 600 on the private key file' this was exactly what I was searching for ;) – cwhisperer May 23 '22 at 07:33

9 Answers9

63

You can use icacls in Windows instead of chmod to adjust file permission. To give the current user read permission and remove everything else (Which will allow openssh to work), this works nicely:

Command Prompt:

icacls .\private.key /inheritance:r
icacls .\private.key /grant:r "%username%":"(R)"

In PowerShell, you can get icacls to work by wrapping the command in a call to cmd.exe

icacls .\private.key /inheritance:r
start-process "icacls.exe" -ArgumentList '.\private.key /grant:r "$env:USERNAME":"(R)"'
Aamnah
  • 559
  • 6
  • 9
Excludos
  • 1,380
  • 1
  • 12
  • 24
  • Also, username may need a domain prefix (e.g. if using cloud identities) – Julian Knight May 19 '18 at 19:49
  • No, that is for cmd only. For powershell I would imagine it's something along the lines of $env:UserName instead of %username% (The " are still important as usernames might have spaces in them) – Excludos May 21 '18 at 15:39
  • 2
    Yes, sorry, I should have put that in. `$env:USERNAME` is correct (though case doesn't actually matter). Still, the command won't work though since PowerShell doesn't like the cmd.exe style arguments, you would have to wrap the whole thing in a call to cmd.exe. I mention all this since PowerShell is now the default command shell for W10. – Julian Knight May 21 '18 at 16:45
  • 2
    icacls seems a bit broken on powershell indeed. After a while of trial, error, and googling, it seems that wrapping it in a call to cmd.exe is the correct way to do it. start-process 'icacls.exe' -ArgumentList '.\test /grant:r "$env:username":"(R)"' Should work – Excludos May 22 '18 at 07:33
  • 9
    Doesn't work for me, file is 0444 after running the above, so it's still world readable. – Philippe Chaintreuil Aug 13 '18 at 11:55
  • I dunno what to tell you. I just checked it and it still works as expected. Are you running the commands as the correct user? (aka: Not administrator)? – Excludos Jul 23 '19 at 13:24
  • 1
    @PhilippeChaintreuil I think it has been caused by You had more users on your local machine. Windows by default gave them privileges to file. You have to iterate over all users and remove their rights. – Piotr Zych Jan 07 '20 at 19:56
  • 1
    @PiotrZych , that was exact issue. Thank you! Wonder why these things are not documented anywhere. The projects are executed in agile mode and these issues delay the sprint items and make us look incompetent :( – rmehra76 Sep 17 '21 at 01:19
  • 1
    I love you, you saved my life – RickJo Oct 26 '21 at 05:56
  • 1
    While running in Windows Terminal, I had to modify it a little bit as follows:- ```start-process "icacls.exe" -ArgumentList ".\key.pem /grant:r ""$env:USERNAME"":""(R)"""``` – Nikhil Agarwal Jan 11 '22 at 01:49
  • @NikhilAgarwal Yes, the filename will need to be renamed to match the name and type of the actual file you're using. private.key was simply the default filename for it 4 years ago :) You don't need to run start-process in terminal, but if you do, then you are again correct in having to use " instead of ', and having to encapsulate the entire sentence in an additional ", as terminal handles spaces very poorly – Excludos Jan 12 '22 at 10:00
19

FYI: Rename the "test.pem" to your original pem file name.

  1. Setting path variable

    $path = ".\test.pem"

  2. Reset to remove explicit permissions

    icacls.exe $path /reset

  3. Give current user explicit read-permission

    icacls.exe $path /GRANT:R "$($env:USERNAME):(R)"

  4. Disable inheritance and remove inherited permissions

    icacls.exe $path /inheritance:r

Note:

  • You can replace the file name as per your file name. In this case it is test.pem.
  • You must be in the same directory where your file is located.
  • You must open power shell as administrator.
ouflak
  • 2,458
  • 10
  • 44
  • 49
Himanshu Jain
  • 191
  • 1
  • 4
5

For windows 10 store the key file in User Ex: C:\Users\MANNEM.ssh

Make sure permission of private key file will be as shown in the image permissions

permissions

mannem srinivas
  • 111
  • 2
  • 6
4

I did it on Windows 10 and it fixed the issue as you can see in the image as well.

You should change the owner of the file(which contains the private key)to your username with full access. and then remove the other usernames that have access to that file.

  1. right-click on the file which contains the private key and clicks on properties and then Security tab> Advanced by clicking on the change button you can change the owner to your username. (if you don't know the name of your username run: "echo %USERNAME%" in command prompt.) Change>Advanced...>Find Now

  2. remove all Permission entries except the one you just added

click on Disable inheritance> Convert inherited permissions... then remove all Permission entries except the one you just added.

enter image description here

pedram
  • 705
  • 7
  • 6
3

You locate the file in Windows Explorer, right-click on it then select "Properties". Navigate to the "Security" tab and click "Advanced".

Change the owner to you, disable inheritance and delete all permissions. Then grant yourself "Full control" and save the permissions. Now SSH won't complain about file permission too open anymore.

Shraddha J
  • 714
  • 9
  • 17
2

If we are still looking the solution of the SSH problem:

  1. Go to your private key and add the root user (make sure you are adding the owner of the computer) of your computer and provide full rights.
  2. Remove the other users.

If we are not able to remove the users:

  1. Go to the security tab in Properties tab and click on Advanced
  2. In next screen there will be a Disable Inheritance button - click on that.
  3. It will open a popup and select the first option (Convert inherited permissions..) and then try removing.

In my issue, I was trying to connect ec2.prem file which is a private key to AWS and after following above steps, I was able to resolve it.

Tomerikoo
  • 18,379
  • 16
  • 47
  • 61
sobby01
  • 1,916
  • 1
  • 13
  • 22
2

i had the same error on windows, but after moving the private key file to "C:\Users\Administrator.ssh" it works fine enter image description here

MedMahmoud
  • 117
  • 1
  • 2
  • 15
2

Save the following script and run it for the keys you need to reset the permission for.

This is based on the commands given in the answer above

# ResetKeyPermssions.ps1 <keyfile>
# Resets windows permissions for private key file, such that ssh-add doesn't complain about permissions being too open

$path = $args[0]
#icacls.exe $path /reset #not required as :R replaces permissions
# replace all permissions, give full control to currently logged in user
icacls.exe $path /GRANT:R "$($env:USERNAME):(F)"
# Remove all inheritances
icacls.exe $path /inheritance:r
Vijay
  • 891
  • 3
  • 19
  • 35
0

I tried changing permission but that didn't work. What worked for me was changing the ownership to current user, as the key was created by other Admin user

PatrickBateman92
  • 63
  • 1
  • 5