5

Trying to SSH into our AWS instance, I get "bad permissions" every time. The AWS documentation gives a simple solution, which is to change the pem file permissions using chmod. But my local machine is Windows, and in the Windows world, there is no chmod to change file permissions.

So the internet is full of posts saying how to do chmod in a Windows way. I have tried all of these, but none satisfies AWS.

So the question is: exactly what .pem file permissions are required by AWS and how to achieve that in Windows? It's an equivalent of 0400 permissions.

I have tried the obvious ones in a Windows style (simply right-clicking on the file and using Security settings):

  • Disable inheritance
  • Remove permissions from SYSTEM, ADMINISTRATOR, AUTHENTICATED USERS and everyone else who is not the current user (me).
  • Grant full control permissions to the current user (me)

Here are some errors from AWS trying various permissions settings

File permissions seem to be correct

And still the permissions are rejected. What's going on?

rikuwolf
  • 103
  • 2
  • 10
  • 2
    AWS is not rejecting your SSH attempt. It's OpenSSH doing it. Related: https://superuser.com/questions/1296024/windows-ssh-permissions-for-private-key-are-too-open – jarmod Oct 15 '18 at 18:25
  • Thanks jarmod for helping to narrow down the problem. It was good to see the screenshot in the superuser.com question, BUT, I already had all the file permission settings recommended there. I have added a screenshot of my file settings. I am the owner of the file. It all looks good to me, but AWS (or OpenSSH?) says no. – rikuwolf Oct 16 '18 at 19:54
  • I have no problems here using the default Windows 10 OpenSSH client to connect to Amazon Linux instances. There's nothing special about my PEM file. In fact, interestingly, the file is accessible with full control to both SYSTEM and the Administrators groups as well as me. Does running ssh -v (verbose mode) provide any more clues? – jarmod Oct 16 '18 at 23:04

2 Answers2

6

Here is the script to give 400 permission to a pem file on windows.

This is similar to $ chmod 400 your_key_name.pem

icacls.exe your_key_name.pem /reset
icacls.exe your_key_name.pem /grant:r "$($env:username):(r)"
icacls.exe your_key_name.pem /inheritance:r

Just copy the above lines and replace your_key_name.pem with your pem file. And paste one by one on your CMD

Mayur
  • 4,345
  • 3
  • 26
  • 40
6

Here's a working version of Mayur's code

icacls.exe your_key_name.pem /reset
icacls.exe your_key_name.pem /grant:r %username%:(R)
icacls.exe your_key_name.pem /inheritance:r
Dharman
  • 30,962
  • 25
  • 85
  • 135
Tanmay Banerjee.
  • 89
  • 2
  • 4