Warning: unprotected private key file windows 11

Q: How do I fix unprotected private key?

In order to solve the Warning: Unprotected Private Key File error in AWS EC2, update the permissions of the private key file to only allow read access from the current user, e.g. chmod 600 ec2-private-key. pem . Open your terminal in the directory where your private key is located and run the chmod command. Copied!

I've OpenSSH 7.6 installed in Windows 7 for testing purposes. SSH client & server work just fine till I tried to access one of my AWS EC2 box from this windows.

Índice Show

How do I fix unprotected private key?
How do I protect private key files?
How do I protect a Windows key file?

It seems like I need to change the permission on the private key file. This can be easily done on unix/linux with chmod command.

What about windows?

private-key.ppm is copied directly from AWS and I guess the permission too.

C:\>ssh -V OpenSSH_7.6p1, LibreSSL 2.5.3 C:\>ver Microsoft Windows [Version 6.1.7601] C:\> C:\>ssh -i private-key.ppk @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions for 'private-key.ppk' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key "private-key.ppk": bad permissions : Permission denied (publickey). C:\> C:\> C:\>ssh -i private-key.ppm Warning: Identity file private-key.ppm not accessible: No such file or directory. : Permission denied (publickey). C:\>

asked Feb 18, 2018 at 5:10

You locate the file in Windows Explorer, right-click on it then select "Properties". Navigate to the "Security" tab and click "Advanced".

Change the owner to you, disable inheritance and delete all permissions. Then grant yourself "Full control" and save the permissions. Now SSH won't complain about file permission too open anymore.

It should end up looking like this:

MSC

5571 gold badge5 silver badges13 bronze badges

answered Feb 18, 2018 at 8:57

iBugiBug

9,3057 gold badges34 silver badges64 bronze badges

Keys must only be accessible to the user they're intended for and no other account, service, or group.

GUI:
[File] Properties → Security → Advanced
1. Owner: The key's user
2. Permission Entries: Remove all except for the key's user
3. Set key's user to Full Control
Cmd:::# Set Key File Variable: Set Key="%UserProfile%\.ssh\id_rsa" ::# Remove Inheritance: Icacls %Key% /c /t /Inheritance:d ::# Set Ownership to Owner: :: # Key's within %UserProfile%: Icacls %Key% /c /t /Grant %UserName%:F :: # Key's outside of %UserProfile%: TakeOwn /F %Key% Icacls %Key% /c /t /Grant:r %UserName%:F ::# Remove All Users, except for Owner: Icacls %Key% /c /t /Remove:g "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users ::# Verify: Icacls %Key% ::# Remove Variable: set "Key="
PowerShell:# Set Key File Variable: New-Variable -Name Key -Value "$env:UserProfile\.ssh\id_rsa" # Remove Inheritance: Icacls $Key /c /t /Inheritance:d # Set Ownership to Owner: # Key's within $env:UserProfile: Icacls $Key /c /t /Grant ${env:UserName}:F # Key's outside of $env:UserProfile: TakeOwn /F $Key Icacls $Key /c /t /Grant:r ${env:UserName}:F # Remove All Users, except for Owner: Icacls $Key /c /t /Remove:g Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users # Verify: Icacls $Key # Remove Variable: Remove-Variable -Name Key

answered Jun 8, 2018 at 15:34

In addition to the answer provided by ibug. Since i was using the ubuntu system inside windows to to run the ssh command. It still was not working. So i did

sudo ssh ...

and then it worked

answered Sep 8, 2018 at 13:27

Parv SharmaParv Sharma

6835 silver badges5 bronze badges

I had a similar issue but I was at work and don't have the ability to change file permissions on my work computer. What you need to do is install WSL then copy the your key to the hidden ssh directory in WSL:

cp <path to your key> ~/.ssh/<name of your key>

Now you should be able to modify the permissions normally.

sudo chmod 600 ~/.ssh/<your key's name>

Then ssh using WSL:

ssh -i ~/.ssh/<name of your key> <username>@<ip address>

Giacomo1968

50.6k18 gold badges158 silver badges204 bronze badges

answered Sep 6, 2019 at 18:17

JKauffmanJKauffman

5514 silver badges2 bronze badges

You just need to do at least four things:

Disable inheritance

Convert inherited permissions to explicit permissions

Remove Users group

You will end up with no Users can access private files, this should be enough to add id_rsa.

Matthew Lock

4,6112 gold badges34 silver badges42 bronze badges

answered Feb 16, 2019 at 21:58

use below command on your key it works on windows

icacls .\private.key /inheritance:r icacls .\private.key /grant:r "%username%":"(R)"

answered Oct 4, 2019 at 13:28

This seems to be related to the version of OpenSSH you're running:

where ssh returns: %WinDir%\System32\OpenSSH\ssh.exe %ProgramFiles%\Git\usr\bin\ssh.exe ssh -V returns: # %WinDir%\System32\OpenSSH\ssh.exe OpenSSH_7.5p1, without OpenSSL # %ProgramFiles%\Git\usr\bin\ssh.exe OpenSSH_7.3p1, OpenSSL 1.0.2k 26 Jan 2017

When running ..\Git\usr\bin\ssh.exe, it works fine and doesn't complain about the permissions, but running ..\OpenSSH\ssh.exe comes back with the following, even though key ACLs are Full Access for myself and nothing else:

load key "t:\mykeys\rich-private.ppk": invalid format : Permission denied (publickey).

answered Apr 5, 2018 at 11:53

Rich SRich S

3332 silver badges7 bronze badges

You can use icacls in Windows instead of chmod to adjust file permission. To give the current user read permission and remove everything else:

Icacls <file name> /Inheritance:r Icacls <file name> /Grant:r "%Username%":"(R)"

answered Aug 12, 2019 at 12:39

manjuvmanjuv

1071 silver badge3 bronze badges

Copy the public and private keys to %userprofile%\.ssh
Use the batch script below after finding your keys from the cmd prompt with where *.pub: Md %Userprofile%\.ssh Copy PublicKey %Userprofile%\.ssh Copy PrivateKey %Userprofile%\.ssh Cd %Userprofile%\.ssh Icacls .\PublicKey /Inheritance:r Icacls .\PrivateKey /Inheritance:r Icacls .\PublicKey /Grant:r "%Username%":"(F)" Icacls .\PrivateKey /Grant:r "%Username%":"(F)"
Right-click each file → Properties → Security:
Remove everyone except the user, setting the permissions for the user to Read

answered Apr 17, 2020 at 19:34

Here's the way to do it using Microsoft's tooling, avoiding the problem from the get-go. But it should also fix the issue, meaning you can follow these instructions with existing keys.

Start PowerShell/Terminal as Administrator and run the following:

Install-Module -Force OpenSSHUtils -Scope AllUsers # Make sure the service isn't disabled Get-Service -Name ssh-agent | Set-Service -StartupType Manual # We need this service as ssh-add depends on it Start-Service ssh-agent cat ~\.ssh\example-key.ecdsa | ssh-add -k -

answered Oct 30, 2020 at 14:31

Louis WaweruLouis Waweru

23.3k37 gold badges128 silver badges194 bronze badges

A single line in CMD might do the trick; as described here, adding the key from stdin instead of changing the permissions:

cat /path/to/permission_file | ssh-add -k

To check key has been added:

ssh-add -l

answered Nov 28, 2019 at 14:45

majommajom

1112 bronze badges

This is just a scripted version of @JW0914's CLI answer, so upvote him first and foremost:

# DO the following in powerhsell if not already done: # Set-ExecutionPolicy RemoteSigned # NOTE: edit the path in this command if needed $sshFiles=Get-ChildItem -Path "$env:userprofile\.ssh" -Force $sshFiles | % { $key = $_ & icacls $key /c /t /inheritance:d & icacls $key /c /t /grant "${echo $env:username}":F & icacls $key /c /t /remove Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users } # Verify: $sshFiles | % { icacls $_ }

answered Oct 3, 2019 at 21:07

bbarkerbbarker

3063 silver badges9 bronze badges

I couldn't get any of these answers working for me due to permission issues, so I'll share my solution:

Go to %UserProfile%\.ssh
Copy and paste id_rsa, rename it to something else [example]
Open the renamed file [example] and replace the key with your own private key
cd to that directory
Enter your passphrase after issuing: ssh -i example

answered Feb 24, 2020 at 23:03

Download and unzip OpenSSH-Win64.zip (or Win32, depending on your system)
Execute FixUserFilePermissions.ps1 in PowerShell with administrator privilege

answered Mar 14, 2020 at 15:15

Answer by iBug works fine! You can follow that and get rid of this issue.

But there are few things which are needed to be cleared as I faced issues during setting up permissions and it took few minutes for me to figure out the problem!

Following iBug's answer, you'll remove all the permissions but how do you set Full Control permission to yourself? that's where I got stuck at first as I didn't knew how to do that.

After Disabling Inheritance, you'll be able to delete all allowed users or groups.

Once Done with that,

Click on Add then click on Set a Principal then enter System and Administrators and your email addredd in the field at bottom then click on check names.

It'll load the name if user exists. Then, Click on OK > Type Allow > Basic Permisisons Full Control > Okay

This will setup Full Control permission to SYSTEM, Administrators and Your User.

After that try to ssh using that key. It should be solved now.

I had same issue and I solved that using this method. If there's any user or group with that name then it'll load that.

-Screenshots-

Permission Entries Select a Principal/ Select User or Groups

answered Feb 8, 2019 at 14:20

I'm a Window user, using the Windows's bash and followed all the steps to set permission using Windows GUI, and it still doesn't work and it complains:

Permissions 0555 for 'my_ssh.pem' are too open. It is required that your private key files are NOT accessible by others.

The I added sudo at the front of the ssh command and it just works. Hope this is helpful to others.

answered Nov 26, 2019 at 6:10

I had the same problem on Windows 10, and it arouse when I created a second user account on my machine.

Since that new user was also an administrator and It had access to my user folder, I did these steps to limit the access on my .ssh folder and it worked!

Navigate to your user folder at C:\Users\YOU
Right click on .ssh/ folder to open context menu
Under Give access to... sub-menu, select Remove access
Done!

Now try to log back in to your remote computer using ssh!

Hope it helps someone!

answered May 15, 2020 at 23:15

How do I fix unprotected private key?

In order to solve the "Warning: Unprotected Private Key File" error in AWS EC2, update the permissions of the private key file to only allow read access from the current user, e.g. chmod 600 ec2-private-key. pem . Open your terminal in the directory where your private key is located and run the chmod command. Copied!

How do I protect private key files?

Everyone recommends that you protect your private key with a passphrase (otherwise anybody who steals the file from you can log into everything you have access to). If you leave the passphrase blank, the key is not encrypted. Let's look at this unencrypted format first, and consider passphrase protection later.