Ssh permissions are too open windows

asked Feb 18, 2018 at 5:10

You locate the file in Windows Explorer, right-click on it then select «Properties». Navigate to the «Security» tab and click «Advanced».

Change the owner to you, disable inheritance and delete all permissions. Then grant yourself «Full control» and save the permissions. Now SSH won’t complain about file permission too open anymore.

It should end up looking like this:

Keys must only be accessible to the user they’re intended for and no other account, service, or group.

• GUI:
  [File] Properties → Security → Advanced
  1. Owner: The key’s user
  2. Permission Entries: Remove all except for the key’s user
  3. Set key’s user to Full Control
• Cmd:

  ::# Set Key File Variable:
      Set Key="%UserProfile%.sshid_rsa"
  
  ::# Remove Inheritance:
      Icacls %Key% /c /t /Inheritance:d
  
  ::# Set Ownership to Owner:
      :: # Key's within %UserProfile%:
           Icacls %Key% /c /t /Grant %UserName%:F
  
      :: # Key's outside of %UserProfile%:
           TakeOwn /F %Key%
           Icacls %Key% /c /t /Grant:r %UserName%:F
  
  ::# Remove All Users, except for Owner:
      Icacls %Key% /c /t /Remove:g "Authenticated Users" BUILTINAdministrators BUILTIN Everyone System Users
  
  ::# Verify:
      Icacls %Key%
  
  ::# Remove Variable:
      set "Key="
  

• PowerShell:

  # Set Key File Variable:
    New-Variable -Name Key -Value "$env:UserProfile.sshid_rsa"
  
  # Remove Inheritance:
    Icacls $Key /c /t /Inheritance:d
  
  # Set Ownership to Owner:
    # Key's within $env:UserProfile:
      Icacls $Key /c /t /Grant ${env:UserName}:F
  
     # Key's outside of $env:UserProfile:
       TakeOwn /F $Key
       Icacls $Key /c /t /Grant:r ${env:UserName}:F
  
  # Remove All Users, except for Owner:
    Icacls $Key /c /t /Remove:g Administrator "Authenticated Users" BUILTINAdministrators BUILTIN Everyone System Users
  
  # Verify:
    Icacls $Key
  
  # Remove Variable:
    Remove-Variable -Name Key
  

answered Jun 8, 2018 at 15:34

In addition to the answer provided by ibug. Since i was using the ubuntu system inside windows to to run the ssh command. It still was not working. So i did

sudo ssh ...

and then it worked

answered Sep 8, 2018 at 13:27

I had a similar issue but I was at work and don’t have the ability to change file permissions on my work computer. What you need to do is install WSL then copy the your key to the hidden ssh directory in WSL:

cp <path to your key> ~/.ssh/<name of your key>

Now you should be able to modify the permissions normally.

sudo chmod 600 ~/.ssh/<your key's name>

Then ssh using WSL:

ssh -i ~/.ssh/<name of your key> <username>@<ip address>

You just need to do at least four things:

1. Disable inheritance

1. Convert inherited permissions to explicit permissions

1. Remove Users group

1. You will end up with no Users can access private files, this should be enough to add id_rsa.

use below command on your key it works on windows

icacls .private.key /inheritance:r
icacls .private.key /grant:r "%username%":"(R)"

answered Oct 4, 2019 at 13:28

This seems to be related to the version of OpenSSH you’re running:

• where ssh returns:

  %WinDir%System32OpenSSHssh.exe
  %ProgramFiles%Gitusrbinssh.exe
  

  ssh -V returns:

  # %WinDir%System32OpenSSHssh.exe
    OpenSSH_7.5p1, without OpenSSL
  
  # %ProgramFiles%Gitusrbinssh.exe
    OpenSSH_7.3p1, OpenSSL 1.0.2k  26 Jan 2017
  

When running ..Gitusrbinssh.exe, it works fine and doesn’t complain about the permissions, but running ..OpenSSHssh.exe comes back with the following, even though key ACLs are Full Access for myself and nothing else:

load key "t:mykeysrich-private.ppk": invalid format
  banana@127.0.0.127: Permission denied (publickey).

You can use icacls in Windows instead of chmod to adjust file permission. To give the current user read permission and remove everything else:

Icacls <file name> /Inheritance:r
Icacls <file name> /Grant:r "%Username%":"(R)"

Here’s the way to do it using Microsoft’s tooling, avoiding the problem from the get-go. But it should also fix the issue, meaning you can follow these instructions with existing keys.

Start PowerShell/Terminal as Administrator and run the following:

Install-Module -Force OpenSSHUtils -Scope AllUsers

# Make sure the service isn't disabled
Get-Service -Name ssh-agent | Set-Service -StartupType Manual

# We need this service as ssh-add depends on it
Start-Service ssh-agent

cat ~.sshexample-key.ecdsa | ssh-add -k -

answered Oct 30, 2020 at 14:31

answered Nov 28, 2019 at 14:45

answered Oct 3, 2019 at 21:07

1. Copy the public and private keys to %userprofile%.ssh
2. Use the batch script below after finding your keys from the cmd prompt with where *.pub:

   Md %Userprofile%.ssh
     Copy PublicKey %Userprofile%.ssh
     Copy PrivateKey %Userprofile%.ssh
   
   Cd %Userprofile%.ssh
     Icacls .PublicKey  /Inheritance:r
     Icacls .PrivateKey /Inheritance:r
     Icacls .PublicKey  /Grant:r "%Username%":"(F)"
     Icacls .PrivateKey /Grant:r "%Username%":"(F)"
   

3. Right-click each file → Properties → Security:
   Remove everyone except the user, setting the permissions for the user to Read

I couldn’t get any of these answers working for me due to permission issues, so I’ll share my solution:

1. Go to %UserProfile%.ssh
2. Copy and paste id_rsa, rename it to something else [example]
3. Open the renamed file [example] and replace the key with your own private key
4. cd to that directory
5. Enter your passphrase after issuing: ssh -i example example@127.0.0.1

1. Download and unzip OpenSSH-Win64.zip (or Win32, depending on your system)
2. Execute FixUserFilePermissions.ps1 in PowerShell with administrator privilege

Answer by iBug works fine! You can follow that and get rid of this issue.

But there are few things which are needed to be cleared as I faced issues during setting up permissions and it took few minutes for me to figure out the problem!

Following iBug’s answer, you’ll remove all the permissions but how do you set Full Control permission to yourself? that’s where I got stuck at first as I didn’t knew how to do that.

After Disabling Inheritance, you’ll be able to delete all allowed users or groups.

Once Done with that,

Click on Add then click on Set a Principal then enter System and Administrators and your email addredd in the field at bottom then click on check names.

It’ll load the name if user exists.
Then, Click on OK > Type Allow > Basic Permisisons Full Control > Okay

This will setup Full Control permission to SYSTEM, Administrators and Your User.

After that try to ssh using that key. It should be solved now.

I had same issue and I solved that using this method.
If there’s any user or group with that name then it’ll load that.

-Screenshots-

Permission Entries
Select a Principal/ Select User or Groups

answered Feb 8, 2019 at 14:20

I’m a Window user, using the Windows’s bash and followed all the steps to set permission using Windows GUI, and it still doesn’t work and it complains:

Permissions 0555 for 'my_ssh.pem' are too open.
It is required that your private key files are NOT accessible by others.

The I added sudo at the front of the ssh command and it just works. Hope this is helpful to others.

answered Nov 26, 2019 at 6:10

I had the same problem on Windows 10, and it arouse when I created a second user account on my machine.

Since that new user was also an administrator and It had access to my user folder, I did these steps to limit the access on my .ssh folder and it worked!

1. Navigate to your user folder at C:UsersYOU
2. Right click on .ssh/ folder to open context menu
3. Under Give access to... sub-menu, select Remove access
4. Done!

Now try to log back in to your remote computer using ssh!

Hope it helps someone!

answered May 15, 2020 at 23:15

asked Feb 14, 2012 at 2:02

The keys need to be read-writable only by you:

chmod 600 ~/.ssh/id_rsa

Alternatively, the keys can be only readable by you (this also blocks your write access):

chmod 400 ~/.ssh/id_rsa

600 appears to be better in most cases, because you don’t need to change file permissions later to edit it. (See the comments for more nuances)

The relevant portion from the manpage (man ssh)

 ~/.ssh/id_rsa
         Contains the private key for authentication.  These files contain sensitive 
         data and should be readable by the user but not
         accessible by others (read/write/execute).  ssh will simply ignore a private 
         key file if it is              
         accessible by others.  It is possible to specify a
         passphrase when generating the key which will be used to encrypt the sensitive 
         part of this file using 3DES.

 ~/.ssh/identity.pub
 ~/.ssh/id_dsa.pub
 ~/.ssh/id_ecdsa.pub
 ~/.ssh/id_rsa.pub
         Contains the public key for authentication.  These files are not sensitive and 
         can (but need not) be readable by anyone.

Using Cygwin in Windows 8.1, there is a command need to be run:

chgrp Users ~/.ssh/id_rsa

Then the solution posted here can be applied, 400 or 600 is OK.

chmod 600 ~/.ssh/id_rsa

Reference here

I’ve got the error in my windows 10 so I set permission as the following and it works.

In details, remove other users/groups until it has only ‘SYSTEM’ and ‘Administrators’. Then add your windows login into it with Read permission only.

Note the id_rsa file is under the c:users<username> folder.

answered Dec 8, 2018 at 3:08

The locale-independent solution that works on Windows 8.1 is:

chgrp 545 ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa

GID 545 is a special ID that always refers to the ‘Users’ group, even if you locale uses a different word for Users.

answered Feb 21, 2015 at 15:51

Windows 10 ssh into Ubuntu EC2 “permissions are too open” error on AWS

I had this issue trying to ssh into an Ubuntu EC2 instance using the .pem file from AWS.

In windows this worked when I put this key in a folder created under the .ssh folder

C:UsersUSERNAME.sshprivate_key

To change permission settings in Windows 10 :

File Settings > Security > Advanced

Disable inheritance

Convert Inherited Permissions Into Explicit Permissions

Remove all the permission entries except for Administrators

Could then connect securely.

answered Mar 26, 2020 at 12:45

AFAIK the values are:

• 700 for the hidden directory .ssh where key files are located

• 600 for the keyfile id_rsa

answered Feb 14, 2012 at 2:04

I have got a similar issue when i was trying to login to remote ftp server using public keys.
To solve this issue I have done the following process:

• First find the location of the public keys, because when you try to login to ftp, this public key is used.
• Alternatively, you can create a key and set that key’s permissions to 600.
• Make sure you are in the correct location and perform this command:

chmod 600 id_rsa

On Windows 10, cygwin’s chmod and chgrp weren’t enough for me. I had to

• right click on the file
• -> Properties
• -> Security (tab)
• and remove all users and groups except for my active user.

I got success with sudo

sudo chmod 400 pem-file.pem
sudo ssh -i pem-file.pem username@X.X.X.X

provide 400 permission,
execute below command

chmod 400 /Users/username/.ssh/id_rsa

answered Aug 28, 2018 at 11:03

There is one exception to the 0x00 permissions requirement on a key. If the key is owned by root and group-owned by a group with users in it, then it can be 0440 and any user in that group can use the key.

I believe this will work with any permissions in the set 0xx0 but I haven’t tested every combination with every version. I have tried 0660 with 5.3p1-84 on CentOS 6, and the group not the primary group of the user but a secondary group, and it works fine.

This would typically not be done for someone’s personal key, but for a key used for automation, in a situation where you don’t want the application to be able to mess with the key.

Similar rules apply to the .ssh directory restrictions.

For windows users Only.
Goto file property —> security —> advanced

1. Disable inheritance property
2. Convert Inherited Permissions Into Explicit Permissions.
3. Remove all the permission entries except the Administrators.
   

answered Jul 27, 2020 at 4:50

This is what worked for me (on mac)

sudo chmod 600 path_to_your_key.pem 

then :

ssh -i path_to_your_key user@server_ip

Hope it help

answered Jan 22, 2019 at 12:14

Mostafa WaelMostafa Wael

2,2201 gold badge16 silver badges19 bronze badges

what worked for me

chgrp Users FOLDER

chmod 600 FOLDER

answered Mar 26, 2014 at 22:54

I got same issue after migration from another mac.
And it blocked to connect github by my key.

I reset permission as below and it works well now.

chmod 700 ~/.ssh     # (drwx------)
cd ~/.ssh            
chmod 644 *.pub      # (-rw-r--r--)
chmod 600 id_rsa     # (-rw-------)

B.KingsunB.Kingsun

3323 silver badges11 bronze badges

As people have said, in Windows, I just dropped my .pem file in C:Users[user].ssh and that solved it. Although you can do chmod and other command line options from a bash or powershell prompt that didn’t work. I didn’t change rsa or anything else. Then when running the connection you have to put the path to the pem file in the .ssh folder:

ssh -i "C:Users[user].sshubuntukp01.pem" ubuntu@ec[ipaddress].us-west-2.compute.amazonaws.com

I keep all my own certificates and keys in one directory, and this works for tools like PuTTY, but I got this too open error message from the scp command. I discovered that Windows already maintains a C:usersACCOUNTNAME.ssh folder having the proper access rights for storing SSH keys. So long as you keep the contents backed up (Windows sometimes deletes it during updates), or create your own folder for ssh keys in your user folder, this will work fine, as only you and the administrators have access to that parent folder.

Be very careful about changing access rights on Windows folders. I did this, and once a day Windows is scanning, reading, and writing all the files on my C: drive, a process that slows the computer for many minutes.

answered May 13, 2015 at 7:35

answered Aug 25, 2020 at 14:48

I am using Windows 10 and trying to connect to EC2 instance via SSH. Rather than using Cygwin for Windows, try using Git Bash. After doing chmod 400 for key I am able to SSH into the EC2 instance, but the same is not working for me from Cygwin. Windows treats the .pem file as coming from internet and blocks it, even disabling inheritance doesn’t work.

I converted the file to .ppk format and it’s working fine from PuTTY also, but it’s not working from Cygwin.

NigrimmistNigrimmist

8,9984 gold badges49 silver badges50 bronze badges

coorassecoorasse

5,0881 gold badge32 silver badges43 bronze badges

LeenaLeena

6371 gold badge11 silver badges19 bronze badges

answered Feb 14, 2019 at 8:41

vildhjartavildhjarta

5542 gold badges5 silver badges15 bronze badges

theEpsilontheEpsilon

1,67016 silver badges28 bronze badges