Warning: unprotected private key file windows 10

Q: What does unprotected private key file mean?

The reason the Warning: Unprotected Private Key File AWS error occurs is because were trying to SSH into an EC2 instance using a private key that allows read access to other users. A private key must only be readable by your user on the machine in order to allow you to SSH into an EC2 instance.

I've OpenSSH 7.6 installed in Windows 7 for testing purposes. SSH client & server work just fine till I tried to access one of my AWS EC2 box from this windows.

Table of Contents Show

What does unprotected private key file mean?
How do I fix unprotected private key?
How do I change the permissions of a .PEM file in Windows?

It seems like I need to change the permission on the private key file. This can be easily done on unix/linux with chmod command.

What about windows?

private-key.ppm is copied directly from AWS and I guess the permission too.

C:\>ssh -V
OpenSSH_7.6p1, LibreSSL 2.5.3

C:\>ver

Microsoft Windows [Version 6.1.7601]

C:\>


C:\>ssh  -i private-key.ppk
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'private-key.ppk' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "private-key.ppk": bad permissions
: Permission denied (publickey).

C:\>
C:\>
C:\>ssh  -i private-key.ppm
Warning: Identity file private-key.ppm not accessible: No such file or directory.
: Permission denied (publickey).

C:\>

asked Feb 18, 2018 at 5:10

You locate the file in Windows Explorer, right-click on it then select "Properties". Navigate to the "Security" tab and click "Advanced".

Change the owner to you, disable inheritance and delete all permissions. Then grant yourself "Full control" and save the permissions. Now SSH won't complain about file permission too open anymore.

It should end up looking like this:

MSC

5571 gold badge5 silver badges13 bronze badges

answered Feb 18, 2018 at 8:57

iBugiBug

9,2967 gold badges34 silver badges64 bronze badges

Keys must only be accessible to the user they're intended for and no other account, service, or group.

GUI:
[File] Properties → Security → Advanced
1. Owner: The key's user
2. Permission Entries: Remove all except for the key's user
3. Set key's user to Full Control

Cmd:

::# Set Key File Variable:
    Set Key="%UserProfile%\.ssh\id_rsa"

::# Remove Inheritance:
    Icacls %Key% /c /t /Inheritance:d

::# Set Ownership to Owner:
    :: # Key's within %UserProfile%:
         Icacls %Key% /c /t /Grant %UserName%:F

    :: # Key's outside of %UserProfile%:
         TakeOwn /F %Key%
         Icacls %Key% /c /t /Grant:r %UserName%:F

::# Remove All Users, except for Owner:
    Icacls %Key% /c /t /Remove:g "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users

::# Verify:
    Icacls %Key%

::# Remove Variable:
    set "Key="

PowerShell:

# Set Key File Variable:
  New-Variable -Name Key -Value "$env:UserProfile\.ssh\id_rsa"

# Remove Inheritance:
  Icacls $Key /c /t /Inheritance:d

# Set Ownership to Owner:
  # Key's within $env:UserProfile:
    Icacls $Key /c /t /Grant ${env:UserName}:F

   # Key's outside of $env:UserProfile:
     TakeOwn /F $Key
     Icacls $Key /c /t /Grant:r ${env:UserName}:F

# Remove All Users, except for Owner:
  Icacls $Key /c /t /Remove:g Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users

# Verify:
  Icacls $Key

# Remove Variable:
  Remove-Variable -Name Key

answered Jun 8, 2018 at 15:34

In addition to the answer provided by ibug. Since i was using the ubuntu system inside windows to to run the ssh command. It still was not working. So i did

sudo ssh ...

and then it worked

answered Sep 8, 2018 at 13:27

Parv SharmaParv Sharma

6835 silver badges5 bronze badges

I had a similar issue but I was at work and don't have the ability to change file permissions on my work computer. What you need to do is install WSL then copy the your key to the hidden ssh directory in WSL:

cp <path to your key> ~/.ssh/<name of your key>

Now you should be able to modify the permissions normally.

sudo chmod 600 ~/.ssh/<your key's name>

Then ssh using WSL:

ssh -i ~/.ssh/<name of your key> <username>@<ip address>

Giacomo1968

50.3k18 gold badges158 silver badges203 bronze badges

answered Sep 6, 2019 at 18:17

JKauffmanJKauffman

5514 silver badges2 bronze badges

You just need to do at least four things:

Disable inheritance

Convert inherited permissions to explicit permissions

Remove Users group

You will end up with no Users can access private files, this should be enough to add id_rsa.

Matthew Lock

4,6012 gold badges34 silver badges42 bronze badges

answered Feb 16, 2019 at 21:58

use below command on your key it works on windows

icacls .\private.key /inheritance:r
icacls .\private.key /grant:r "%username%":"(R)"

answered Oct 4, 2019 at 13:28

This seems to be related to the version of OpenSSH you're running:

where ssh returns:

%WinDir%\System32\OpenSSH\ssh.exe
%ProgramFiles%\Git\usr\bin\ssh.exe

ssh -V returns:

# %WinDir%\System32\OpenSSH\ssh.exe
  OpenSSH_7.5p1, without OpenSSL

# %ProgramFiles%\Git\usr\bin\ssh.exe
  OpenSSH_7.3p1, OpenSSL 1.0.2k  26 Jan 2017

When running ..\Git\usr\bin\ssh.exe, it works fine and doesn't complain about the permissions, but running ..\OpenSSH\ssh.exe comes back with the following, even though key ACLs are Full Access for myself and nothing else:

load key "t:\mykeys\rich-private.ppk": invalid format
  : Permission denied (publickey).

answered Apr 5, 2018 at 11:53

Rich SRich S

3332 silver badges7 bronze badges

You can use icacls in Windows instead of chmod to adjust file permission. To give the current user read permission and remove everything else:

Icacls <file name> /Inheritance:r
Icacls <file name> /Grant:r "%Username%":"(R)"

answered Aug 12, 2019 at 12:39

manjuvmanjuv

1071 silver badge3 bronze badges

Copy the public and private keys to %userprofile%\.ssh

Use the batch script below after finding your keys from the cmd prompt with where *.pub:

Md %Userprofile%\.ssh
  Copy PublicKey %Userprofile%\.ssh
  Copy PrivateKey %Userprofile%\.ssh

Cd %Userprofile%\.ssh
  Icacls .\PublicKey  /Inheritance:r
  Icacls .\PrivateKey /Inheritance:r
  Icacls .\PublicKey  /Grant:r "%Username%":"(F)"
  Icacls .\PrivateKey /Grant:r "%Username%":"(F)"

Right-click each file → Properties → Security:
Remove everyone except the user, setting the permissions for the user to Read

answered Apr 17, 2020 at 19:34

Here's the way to do it using Microsoft's tooling, avoiding the problem from the get-go. But it should also fix the issue, meaning you can follow these instructions with existing keys.

Start PowerShell/Terminal as Administrator and run the following:

Install-Module -Force OpenSSHUtils -Scope AllUsers

# Make sure the service isn't disabled
Get-Service -Name ssh-agent | Set-Service -StartupType Manual

# We need this service as ssh-add depends on it
Start-Service ssh-agent

cat ~\.ssh\example-key.ecdsa | ssh-add -k -

answered Oct 30, 2020 at 14:31

Louis WaweruLouis Waweru

23.2k37 gold badges128 silver badges193 bronze badges

A single line in CMD might do the trick; as described here, adding the key from stdin instead of changing the permissions:

cat /path/to/permission_file | ssh-add -k

To check key has been added:

ssh-add -l

answered Nov 28, 2019 at 14:45

majommajom

1112 bronze badges

This is just a scripted version of @JW0914's CLI answer, so upvote him first and foremost:

# DO the following in powerhsell if not already done:
# Set-ExecutionPolicy RemoteSigned


# NOTE: edit the path in this command if needed
$sshFiles=Get-ChildItem -Path "$env:userprofile\.ssh" -Force

$sshFiles | % {
  $key = $_
  & icacls $key /c /t /inheritance:d
  & icacls $key /c /t /grant  "${echo $env:username}":F
  & icacls $key /c /t /remove Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users
}

# Verify:
$sshFiles | % {
  icacls $_
}

answered Oct 3, 2019 at 21:07

bbarkerbbarker

3063 silver badges9 bronze badges

I couldn't get any of these answers working for me due to permission issues, so I'll share my solution:

Go to %UserProfile%\.ssh
Copy and paste id_rsa, rename it to something else [example]
Open the renamed file [example] and replace the key with your own private key
cd to that directory
Enter your passphrase after issuing: ssh -i example

answered Feb 24, 2020 at 23:03

Download and unzip OpenSSH-Win64.zip (or Win32, depending on your system)
Execute FixUserFilePermissions.ps1 in PowerShell with administrator privilege

answered Mar 14, 2020 at 15:15

Answer by iBug works fine! You can follow that and get rid of this issue.

But there are few things which are needed to be cleared as I faced issues during setting up permissions and it took few minutes for me to figure out the problem!

Following iBug's answer, you'll remove all the permissions but how do you set Full Control permission to yourself? that's where I got stuck at first as I didn't knew how to do that.

After Disabling Inheritance, you'll be able to delete all allowed users or groups.

Once Done with that,

Click on Add then click on Set a Principal then enter System and Administrators and your email addredd in the field at bottom then click on check names.

It'll load the name if user exists. Then, Click on OK > Type Allow > Basic Permisisons Full Control > Okay

This will setup Full Control permission to SYSTEM, Administrators and Your User.

After that try to ssh using that key. It should be solved now.

I had same issue and I solved that using this method. If there's any user or group with that name then it'll load that.

-Screenshots-

Permission Entries Select a Principal/ Select User or Groups

answered Feb 8, 2019 at 14:20

I'm a Window user, using the Windows's bash and followed all the steps to set permission using Windows GUI, and it still doesn't work and it complains:

Permissions 0555 for 'my_ssh.pem' are too open.
It is required that your private key files are NOT accessible by others.

The I added sudo at the front of the ssh command and it just works. Hope this is helpful to others.

answered Nov 26, 2019 at 6:10

I had the same problem on Windows 10, and it arouse when I created a second user account on my machine.

Since that new user was also an administrator and It had access to my user folder, I did these steps to limit the access on my .ssh folder and it worked!

Navigate to your user folder at C:\Users\YOU
Right click on .ssh/ folder to open context menu
Under Give access to... sub-menu, select Remove access
Done!

Now try to log back in to your remote computer using ssh!

Hope it helps someone!

answered May 15, 2020 at 23:15

What does unprotected private key file mean?

The reason the "Warning: Unprotected Private Key File" AWS error occurs is because we're trying to SSH into an EC2 instance using a private key that allows read access to other users. A private key must only be readable by your user on the machine in order to allow you to SSH into an EC2 instance.

How do I fix unprotected private key?

To fix this,.

you'll need to reset the permissions back to default: sudo chmod 600 ~/.ssh/id_rsa sudo chmod 600 ~/.ssh/id_rsa.pub. If you are getting another error: ... .

This means that the permissions on that file are also set incorrectly, and can be adjusted with this: sudo chmod 644 ~/.ssh/known_hosts..