47

I have a key file located at C:\private-key.pem and I have a soft link to it on the Ubuntu subsystem: ~/.ssh/private-key.pem -> /mnt/c/private-key.pem.

When I'm trying to ssh into some remote machine from the Ubuntu subsystem, I get:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0777 for '/home/artur/.ssh/private-key.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/home/artur/.ssh/private-key.pem": bad permissions
Permission denied (publickey).
  • This began after the 1803 update for Windows: I was trying to use chmod 400 for the key on C:\ and within ~/.ssh on WSL. I trying to set owner to me and remove all other users' ACLs on Windows for this key file, but every time I get Permission denied or
    Permissions XXXX for '/home/artur/.ssh/private-key.pem' are too open.

Can anybody help me and explain how keys permissions should be configured on Windows and the Ubuntu subsystem?

Improve this question
4

10 Answers 10

Reset to default
47

Solution that works for me in windows WSL (without changing file mode):

sudo ssh -i keyfile <user>@ip
Improve this answer
8
  • 21
    I don’t understand.  Can you explain what you mean?  Please do not respond in comments; edit your answer to make it clearer and more complete.
    – Scott - Слава Україні
    Commented May 24, 2018 at 7:26
  • 2
    If WSL still shows access permissions for group and others, this is not an acceptable solution. SSH keys must only be accessible to the user they're intended for and no other user or group. Allowing for anything other the 600/400 permissions defeats the purpose of utilizing an SSH key, as it compromises the security of said key.
    – JW0914
    Commented Aug 11, 2018 at 12:40
  • 4
    I found the right answer here - superuser.com/a/1323647/352182 You cannot modify a file inside of /mnt (windows file system), copy the file to your linux and then it works as expected.
    – bozzmob
    Commented Aug 21, 2018 at 15:00
  • 2
    For those who don’t get it: he told you to sudo it.
    – Константин Ван
    Commented Aug 5, 2019 at 6:39
  • 1
    @КонстантинВан sudo should never be utilized with ssh. The reason why issuing with sudo works is because it's now likely being executed as root, and this is not the correct way to do this and is a massive security risk, as Allowing for anything other the 600/400 permissions defeats the purpose of utilizing an SSH key, compromising the security of the key.
    – JW0914
    Commented Aug 15, 2019 at 12:57
26

I'm reading between the lines, and assuming you're using a Linux subsystem in Windows 10. When you symlinked the Windows file from C:\ into the Linux file system in $HOME/.ssh, the permissions of the actual file are still under control of Windows, and the permissions shown to you in the Linux window just best represent the Windows permissions; you can't change the permissions on the Windows files in /mnt/c from Linux. This FAQ from Microsoft talks about how files are handled in the two overlapping file systems.

The file you need to change the permission on is the file the symlink is pointing so, so that means the file in /mnt/c

It doesn't seem possible to give user-only access to a Windows file. Even if you disable permission inheritance on a file and give only your own user read permission, the Linux permissions still show as -r--r--r--, so that won't be usable for ~/.ssh

The only option appears to be copying the file from Windows into Linux, at which point you can use chmod and chown on it.

Improve this answer
16

Copy the SSH key over to your WSL ~/.ssh directory, as an SSH key with anything other than 600/400 permissions compromises the key.

  • Once the key is copied over, ensure it's EOLs have been changed to LF.

    • There's a number of ways to do so, from the Atom text editor to CLI solutions like dos2unix, unix2dos, etc.

  • See @simpleuser's answer below to understand why permissions cannot be changed via Windows, of which necessitates copying the key to the WSL's ~/.ssh directory

Improve this answer
0
8

The Windows 10 permissions vs WSL permissions problem is only a problem if the .pem file is in the Windows file system accessible under a mount point, e.g. somewhere in /mnt/c .

If you move the file to under your WSL home directory, e.g. directory /home/.ssh, then you can do a chmod 400 yourkeyfile.pem on the file.

The way WSL works, the standard Linux root directories like bin, etc, home, usr are not visible to Windows 10, hence you can do a chmod on any file just as you were working on a real Linux system.

Improve this answer
1
  • I copied it instead of moving it, so both OSs can use it.
    – aderchox
    Commented Apr 11, 2023 at 8:27
3

I am using Linux Windows Shell on Windows 10 Pro and also installed cygwin

Matching WSL UID to cygwin UID solved the problem.
Find the cygwin UID in the cygwin terminal via id

Two steps to match the UID:

  1. Open cmd.exe with administrator privileges and edit, with the new UID, via regedit. 
    HKCU\Software\Microsoft\Windows\CurrentVersion\Lxss{cefb...cb50}\DefaultUid

  2. Change the UID in WSL by using, in the WSL terminal:

    sudo vi /etc/passwd
chmod 600 ~/.ssh/private-key.pem

Reference:

Improve this answer
3

On Windows, delete all others permissions:

  1.  chmod 400 'keyname.pem'
  2. Right-click keyname.pemSettingSecurity → Delete all users/groups except you.
Improve this answer
1

If you are using WSL, you can copy file.pem to ~/.ssh/

Copy file .pem

cp file.pem ~/.ssh/

Change permissions:

chmod 600 ~/.ssh/file.pem

Done, try again with your ssh-add

eval `ssh-agent -s`
ssh-add ~/.ssh/file.pem
Improve this answer
1
  • 1
    This was the solution I was looking for... chmod 600. Thanks :)
    – user464885
    Commented Jan 25, 2023 at 9:46
0

To expand on the answer above, I am using Linux Windows Shell on Windows 10 Pro, and the v1803 update broke SSH in the shell.

  • There is no equivalent to chmod 600 within Windows, but you can leave your .pem unchanged with file permission 777, running the following, which will log straight in (not sure why): 
    sudo ssh -i  'my777Keyfile.pem'  [email protected]
Improve this answer
2
  • Did you test your answer? I used the GUI in Windows to change the icacl but after some experimentation I couldn't match the Linux SSH requirement that it's restricted down to the ssh user. From memory I always needed to be in at least one group. This meant that I could restrict to (500 or 540 I think) but that still won't work. If I get chance I'll experiment with your method of moving the key to the .shh directory in WSL as that would be a simple and effective solution.
    – Chris B
    Commented Aug 2, 2018 at 11:59
  • Since you implied the first two steps in my answer didn't work for you, I've removed them, leaving the last, and only, solution, as SSH keys should never be readable or accessible to any but the user they're intended for.
    – JW0914
    Commented Aug 4, 2018 at 14:17
0

Here's a really simple WSL solution, normally not requiring sudo:

cat 'mykey.pem' > 'wslkey.pem'
chmod 400 wslkey.pem
ssh -i 'wslkey.pem' ec2-user@[PUBLIC-IP-OF-YOUR-INSTANCE]
Improve this answer
0

You can use named pipes:

key="/tmp/ssh-$(openssl rand -hex 16)"
mkfifo "${key}"
chmod 600 "${key}"
cat my_key_file_with_bogus_permissions > "${key}" &
ssh-add "${key}"
rm -f "${key}"
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .