Ubuntu on Windows 10 - SSH “Permissions xxxx for private key are too open

Question

I have a key file located at C:\private-key.pem and I have a soft link to it on the Ubuntu subsystem: ~/.ssh/private-key.pem -> /mnt/c/private-key.pem.

When I'm trying to ssh into some remote machine from the Ubuntu subsystem, I get:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0777 for '/home/artur/.ssh/private-key.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/home/artur/.ssh/private-key.pem": bad permissions
Permission denied (publickey).

• This began after the 1803 update for Windows: I was trying to use chmod 400 for the key on C:\ and within ~/.ssh on WSL. I trying to set owner to me and remove all other users' ACLs on Windows for this key file, but every time I get Permission denied or
  Permissions XXXX for '/home/artur/.ssh/private-key.pem' are too open.

Can anybody help me and explain how keys permissions should be configured on Windows and the Ubuntu subsystem?

Answer 1

Solution that works for me in windows WSL (without changing file mode):

sudo ssh -i keyfile <user>@ip

Answer 2

I'm reading between the lines, and assuming you're using a Linux subsystem in Windows 10. When you symlinked the Windows file from C:\ into the Linux file system in $HOME/.ssh, the permissions of the actual file are still under control of Windows, and the permissions shown to you in the Linux window just best represent the Windows permissions; you can't change the permissions on the Windows files in /mnt/c from Linux. This FAQ from Microsoft talks about how files are handled in the two overlapping file systems.

The file you need to change the permission on is the file the symlink is pointing so, so that means the file in /mnt/c

It doesn't seem possible to give user-only access to a Windows file. Even if you disable permission inheritance on a file and give only your own user read permission, the Linux permissions still show as -r--r--r--, so that won't be usable for ~/.ssh

The only option appears to be copying the file from Windows into Linux, at which point you can use chmod and chown on it.

Answer 3

Copy the SSH key over to your WSL ~/.ssh directory, as an SSH key with anything other than 600/400 permissions compromises the key.

• Once the key is copied over, ensure it's EOLs have been changed to LF.

  • There's a number of ways to do so, from the Atom text editor to CLI solutions like dos2unix, unix2dos, etc.

• See @simpleuser's answer below to understand why permissions cannot be changed via Windows, of which necessitates copying the key to the WSL's ~/.ssh directory

Answer 4

The Windows 10 permissions vs WSL permissions problem is only a problem if the .pem file is in the Windows file system accessible under a mount point, e.g. somewhere in /mnt/c .

If you move the file to under your WSL home directory, e.g. directory /home/.ssh, then you can do a chmod 400 yourkeyfile.pem on the file.

The way WSL works, the standard Linux root directories like bin, etc, home, usr are not visible to Windows 10, hence you can do a chmod on any file just as you were working on a real Linux system.

Answer 5

I am using Linux Windows Shell on Windows 10 Pro and also installed cygwin

Matching WSL UID to cygwin UID solved the problem.
Find the cygwin UID in the cygwin terminal via id

Two steps to match the UID:

1. Open cmd.exe with administrator privileges and edit, with the new UID, via regedit.

   HKCU\Software\Microsoft\Windows\CurrentVersion\Lxss{cefb...cb50}\DefaultUid
   

2. Change the UID in WSL by using, in the WSL terminal:

   sudo vi /etc/passwd
   chmod 600 ~/.ssh/private-key.pem
   

Reference:

• WSL: How to Change the UID?
• How to Reset Kali Linux Password in Windows Subsystem for Linux

Answer 6

On Windows, delete all others permissions:

1.  chmod 400 'keyname.pem'
   

2. Right-click keyname.pem → Setting → Security → Delete all users/groups except you.

Answer 7

If you are using WSL, you can copy file.pem to ~/.ssh/

Copy file .pem

cp file.pem ~/.ssh/

Change permissions:

chmod 600 ~/.ssh/file.pem

Done, try again with your ssh-add

eval `ssh-agent -s`
ssh-add ~/.ssh/file.pem

Answer 8

To expand on the answer above, I am using Linux Windows Shell on Windows 10 Pro, and the v1803 update broke SSH in the shell.

• There is no equivalent to chmod 600 within Windows, but you can leave your .pem unchanged with file permission 777, running the following, which will log straight in (not sure why):

  sudo ssh -i  'my777Keyfile.pem'  ubuntu@12.34.45.78 
  

Answer 9

Here's a really simple WSL solution, normally not requiring sudo:

cat 'mykey.pem' > 'wslkey.pem'
chmod 400 wslkey.pem
ssh -i 'wslkey.pem' ec2-user@[PUBLIC-IP-OF-YOUR-INSTANCE]

Answer 10

You can use named pipes:

key="/tmp/ssh-$(openssl rand -hex 16)"
mkfifo "${key}"
chmod 600 "${key}"
cat my_key_file_with_bogus_permissions > "${key}" &
ssh-add "${key}"
rm -f "${key}"