Limiting SSH Identifier File Permissions
I recently needed to Use SSH keys to connect to a Linux Azure VMs from my primary development machine, a Windows desktop. OpenSSH has been available on Windows since 2018 as per this OpenSSH for Windows overview. I downloaded my private key for the Azure VM to a file called my_key.pem. Just to be sure I knew which executable would run when I launched ssh, I used this command line.
C:\> where ssh
C:\Windows\System32\OpenSSH\ssh.exe
I then passed the -i my_key.pem
option to ssh when connecting to the VM.
ssh -J user1@ipaddress1 -i my_key.pem user2@ipaddress2
It was then that I discovered that ssh checks the file permissions on Windows and considered them too open by default. This is the error I got:
Bad permissions. Try removing permissions for user: BUILTIN\\Users (S-1-5-32-545) on file C:/.../my_key.pem.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'my_key.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "my_key.pem": bad permissions
someuser@0.0.0.0: Permission denied (publickey).
The Security identifiers on Windows are well documented. BUILTIN\\Users (S-1-5-32-545)
A security identifier is used to uniquely identify a security principal or security group. Security principals can represent any entity that can be authenticated by the operating system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account.
Security identifiers
Security identifiers
S-1-5-32-545 Users A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. Description of the “Users” Group
Fortunately, someone else ran into this way before me: amazon web services – Set pem file permissions for AWS without chmod on Windows – Stack Overflow. To see the current file permissions, run icacls without any additional flags.
C:\> icacls my_key.pem
my_key.pem BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
Successfully processed 1 files; Failed processing 0 files
The solution from that StackOverflow post is to run the commands below.
icacls my_key.pem /reset
icacls my_key.pem /grant:r %username%:(R)
icacls my_key.pem /inheritance:r
The icacls docs explain that /reset “Replaces ACLs with default inherited ACLs for all matching files.” That doesn’t change anything on my system. The /grant option adds my personal account to the list of accounts with permission to the file.
Grants specified user access rights. Permissions replace previously granted explicit permissions.
Not adding the :r, means that permissions are added to any previously granted explicit permissions.
icacls | Microsoft Learn
The /inheritance:r option removes the 4 security identifiers shown previously from the private key file’s DACL. SSH is now happy to get the authentication identity from this private key file.
Leave a Reply