Categories: Security

Limiting SSH Identifier File Permissions

I recently needed to Use SSH keys to connect to a Linux Azure VMs from my primary development machine, a Windows desktop. OpenSSH has been available on Windows since 2018 as per this OpenSSH for Windows overview. I downloaded my private key for the Azure VM to a file called my_key.pem. Just to be sure I knew which executable would run when I launched ssh, I used this command line.

C:\> where ssh
C:\Windows\System32\OpenSSH\ssh.exe

I then passed the -i my_key.pem option to ssh when connecting to the VM.

ssh -J user1@ipaddress1 -i my_key.pem user2@ipaddress2

It was then that I discovered that ssh checks the file permissions on Windows and considered them too open by default. This is the error I got:

Bad permissions. Try removing permissions for user: BUILTIN\\Users (S-1-5-32-545) on file C:/.../my_key.pem.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'my_key.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "my_key.pem": bad permissions
someuser@0.0.0.0: Permission denied (publickey).

The Security identifiers on Windows are well documented. BUILTIN\\Users (S-1-5-32-545)

A security identifier is used to uniquely identify a security principal or security group. Security principals can represent any entity that can be authenticated by the operating system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account.

Security identifiers
S-1-5-32-545UsersA built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group.
Description of the “Users” Group
Security identifiers

Fortunately, someone else ran into this way before me: amazon web services – Set pem file permissions for AWS without chmod on Windows – Stack Overflow. To see the current file permissions, run icacls without any additional flags.

C:\> icacls my_key.pem
my_key.pem BUILTIN\Administrators:(I)(F)
           NT AUTHORITY\SYSTEM:(I)(F)
           BUILTIN\Users:(I)(RX)
           NT AUTHORITY\Authenticated Users:(I)(M)

Successfully processed 1 files; Failed processing 0 files

The solution from that StackOverflow post is to run the commands below.

icacls my_key.pem /reset
icacls my_key.pem /grant:r %username%:(R)
icacls my_key.pem /inheritance:r

The icacls docs explain that /reset “Replaces ACLs with default inherited ACLs for all matching files.” That doesn’t change anything on my system. The /grant option adds my personal account to the list of accounts with permission to the file.

Grants specified user access rights. Permissions replace previously granted explicit permissions.

Not adding the :r, means that permissions are added to any previously granted explicit permissions.

icacls | Microsoft Learn

The /inheritance:r option removes the 4 security identifiers shown previously from the private key file’s DACL. SSH is now happy to get the authentication identity from this private key file.