30

I'm using the new ssh client for windows 10 and when trying to connect with a private key I'm getting this error:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'MyPair.pem' are too open. It is required that your
private key files are NOT accessible by others. This private key will
be ignored. Load key "MyPair.pem": bad permissions ec2-user@192.0.2.0:
Permission denied (publickey).

I know that if I was on Linux I would need to run chmod 600 to set the file permissions, but what do you use on Windows 10?

Martin Brown
  • 695

3 Answers3

33

Keys must only be accessible to the user they're intended for and no other account, service, or group.

  • GUI:
    [File] PropertiesSecurityAdvanced
    1. Owner: Change → Select a principal → Enter key's user → OK
    2. Permission Entries: Remove all except for the key's user
    3. Set key's user to Full Control if not already set
      1. Select user → Modify → Full Control → OK
        OR
      2. Add → Select a principal → Enter key's user → OK
    4. OK → OK

  • Cmd: 
    ::# Set Key File Variable:
    Set Key="%UserProfile%\.ssh\id_rsa"

    ::# Remove Inheritance:
    Icacls %Key% /c /t /Inheritance:d
    

    ::# Set Ownership to Owner:
    Icacls %Key% /c /t /Grant %UserName%:F
    

    ::# Remove All Users, except for Owner:
    Icacls %Key%  /c /t /Remove Administrator BUILTIN\Administrators BUILTIN Everyone System Users
    

    ::# Verify:
    Icacls %Key%
    

    ::# Remove Variable:
    set "Key="

  • PowerShell: 
    # Set Key File Variable:
  New-Variable -Name Key -Value "$env:UserProfile\.ssh\id_rsa"

    Remove Inheritance:
    

    Icacls $Key /c /t /Inheritance:d
    

    Set Ownership to Owner:
    

    Icacls $Key /c /t /Grant $env:UserName:F
    

    Remove All Users, except for Owner:
    

    Icacls $Key  /c /t /Remove Administrator BUILTIN\Administrators BUILTIN Everyone System Users
    

    Verify:
    

    Icacls $Key
    

    Remove Variable:
    

    Remove-Variable -Name Key

  • WSL/Cygwin: 
    # Set Variables:
  # Key File:
    key="/path/to/key"

    User:
    

    user="$(echo $USER)"


    

    Set Ownership to Owner: (assumes user's name is also user's group name)
    

    chown $user:$user $key
    

    Set Access Rights
    

    chmod 0600 $key
    

    Verify
    

    ls -l $key
JW0914
  • 9,096
0

Using the Windows 10 GUI, here's some additional detail:

  1. rightclick the pem file, properties, security.
  2. set owner to the key's user (i.e. you)
  3. permission entries, remove all users, groups, services except for the key's user
  4. set key's user to "full control". Here's how I did it:
  5. disable inheritance. if you see a popup, choose to convert to explicit permissions on this file.
  6. Add, select a principal, object type is User, object name is key's owner's username (for example if your home directory is c:\Users\ben folder, then type ben here). OK.
  7. Give that user Full Control
  8. delete everyone else (Authenticated users, system, etc)
  9. OK

It's important that you set the owner to the key's user before you disable inheritance.

Ben
  • 13
0

To spare time, much easier than the other solutions: just move the file to a "safe location" on your drive, like the %userprofile%/.ssh folder.

NOTE: Some people said that it works anyhwere on C: drive, or on the user's downloads folder, but I didn't test that.

JotaBe
  • 179