OpenSSH using private key on Windows ("Unprotected private key file" error)

Question

I am attempting to do a simple connection to a SSH server using OpenSSH for Windows using a private key, and am met with this:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'private' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "private": bad permissions

On Linux, this is fixed with a simple chmod 600 on the private key file, however Windows does not have an equivalent method.

This sounds like something that should be pretty easy, but I am completely unable to find any reasonable solution to it. Is there a way to either add the private key directly without going through a file, or to skip this privacy check? Or am I missing something else entierly?

Answer 1

In Windows 11, below steps worked for me.

1. Find the login user name using echo %USERNAME%
2. Go to the file folder , select file and right click and select properties
3. On Pop-up Screen, select security tab
4. Click on Advance button [Click advance button][1]
5. Click on change link [User permission assign][2]
6. Once assigned, give full permission to test and later degrade the permission to read only
7. Press ok and come to Power Shell/command prompt and type ssh -i "<Filename.pem>" ec2-user@

Hope this will work for you [1]: https://i.sstatic.net/fLCVwD6t.png [2]: https://i.sstatic.net/rULgXaCk.png

Answer 2

So what I did eventually is to copy my ssh private key into %userprofile%/.ssh

why it works?

Because this directory is "safer", the ssh private key will inherit the permissions from the %userprofile%/.ssh directory, and you will be able to run ssh, sftp and more without getting the "Permissions are too open" error.

Answer 3

In Windows you have to follow the below list of steps to remove the error you are facing.

Steps:

1. Right click on the file and go to properties and select the security tab.

2. Then click on the advance button located the below right corner.

3. In new window of "Advance Security Settings For "Your File Name shown" click on the "Disable Inheritance" and remove all the Inheritance.

4. Click Apply and Ok and go delete the all users listing in the security tab window by click on the "Edit" button.

5. Once removed all users then click on "Add" button. Then type the username you using for you windows screen.

6. Allow the all permission for user name you added. and click on apply and ok.

7. Execute the same command again to login using the ssh then you will get successfully login to system.

8. In case same problem occurs please follow the steps 1 to 7 again and try.

Answer 4

Save the following script and run it for the keys you need to reset the permission for.

This is based on the commands given in the answer above

# ResetKeyPermssions.ps1 <keyfile>
# Resets windows permissions for private key file, such that ssh-add doesn't complain about permissions being too open

$path = $args[0]
#icacls.exe $path /reset #not required as :R replaces permissions
# replace all permissions, give full control to currently logged in user
icacls.exe $path /GRANT:R "$($env:USERNAME):(F)"
# Remove all inheritances
icacls.exe $path /inheritance:r

Answer 5

I tried changing permission but that didn't work. What worked for me was changing the ownership to current user, as the key was created by other Admin user

Answer 6

FYI: Rename the "test.pem" to your original pem file name.

1. Setting path variable

   $path = ".\test.pem"

2. Reset to remove explicit permissions

   icacls.exe $path /reset

3. Give current user explicit read-permission

   icacls.exe $path /GRANT:R "$($env:USERNAME):(R)"

4. Disable inheritance and remove inherited permissions

   icacls.exe $path /inheritance:r

Note:

• You can replace the file name as per your file name. In this case it is test.pem.
• You must be in the same directory where your file is located.
• You must open power shell as administrator.

Answer 7

If we are still looking the solution of the SSH problem:

1. Go to your private key and add the root user (make sure you are adding the owner of the computer) of your computer and provide full rights.
2. Remove the other users.

If we are not able to remove the users:

1. Go to the security tab in Properties tab and click on Advanced
2. In next screen there will be a Disable Inheritance button - click on that.
3. It will open a popup and select the first option (Convert inherited permissions..) and then try removing.

In my issue, I was trying to connect ec2.prem file which is a private key to AWS and after following above steps, I was able to resolve it.

Answer 8

i had the same error on windows, but after moving the private key file to "C:\Users\Administrator.ssh" it works fine

Answer 9

You can use icacls in Windows instead of chmod to adjust file permission. To give the current user read permission and remove everything else (Which will allow openssh to work), this works nicely:

Command Prompt:

icacls .\private.key /inheritance:r
icacls .\private.key /grant:r "%username%":"(R)"

In PowerShell, you can get icacls to work by wrapping the command in a call to cmd.exe

icacls .\private.key /inheritance:r
start-process "icacls.exe" -ArgumentList '.\private.key /grant:r "$env:USERNAME":"(R)"'

Answer 10

For windows 10 store the key file in User Ex: C:\Users\MANNEM.ssh

Make sure permission of private key file will be as shown in the image

Answer 11

I did it on Windows 10 and it fixed the issue as you can see in the image as well.

You should change the owner of the file(which contains the private key)to your username with full access. and then remove the other usernames that have access to that file.

1. right-click on the file which contains the private key and clicks on properties and then Security tab> Advanced by clicking on the change button you can change the owner to your username. (if you don't know the name of your username run: "echo %USERNAME%" in command prompt.) Change>Advanced...>Find Now

2. remove all Permission entries except the one you just added

click on Disable inheritance> Convert inherited permissions... then remove all Permission entries except the one you just added.

enter image description here

Answer 12

You locate the file in Windows Explorer, right-click on it then select "Properties". Navigate to the "Security" tab and click "Advanced".

Change the owner to you, disable inheritance and delete all permissions. Then grant yourself "Full control" and save the permissions. Now SSH won't complain about file permission too open anymore.