ssh "permissions are too open"

Asked 2023-09-20 20:21:26 View 710,064

I get the following error from ssh:

Permissions 0777 for '/Users/username/.ssh/id_rsa' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.

What permissions should I give to the id_rsa file?

  • Thanks for asking the quesiton. A better experience would be for the one who wrote this error message to suggest a few valid configurations (such as 600 or 400 as suggested below). Programmers not writing sufficiently complete error messages that are helpful have been torturing all of us for years! - anyone
  • FWIW, this is related to StrictModes being enabled on the sshd server, from the man page: "StrictModes Specifies whether sshd(8) should check file modes and ownership of the user's files and home directory before accepting login." - you could disable this however not suggested. - anyone
  • Instead of It is recommended my os shows It is required. Maybe my os is newer (2020) and that`s why. - anyone
  • Also applies to other setups, such as even Permissions 640 ... are too open and other OSes such as Unix as well as Linux - anyone
  • Unfortunately, the question cannot be edited any more. Title cannot contain "ssh "permissions are too open" error" It tells me "Please provide a title that summarizes your question. For assistance, see: How do I ask a good question?" - which I want to suggest and share here and now. - anyone

Answers

The keys need to be read-writable only by you:

chmod 600 ~/.ssh/id_rsa

Alternatively, the keys can be only readable by you (this also blocks your write access):

chmod 400 ~/.ssh/id_rsa

600 appears to be better in most cases, because you don't need to change file permissions later to edit it. (See the comments for more nuances)

The relevant portion from the manpage (man ssh)

 ~/.ssh/id_rsa
         Contains the private key for authentication.  These files contain sensitive 
         data and should be readable by the user but not
         accessible by others (read/write/execute).  ssh will simply ignore a private 
         key file if it is              
         accessible by others.  It is possible to specify a
         passphrase when generating the key which will be used to encrypt the sensitive 
         part of this file using 3DES.

 ~/.ssh/identity.pub
 ~/.ssh/id_dsa.pub
 ~/.ssh/id_ecdsa.pub
 ~/.ssh/id_rsa.pub
         Contains the public key for authentication.  These files are not sensitive and 
         can (but need not) be readable by anyone.

Answered   2023-09-20 20:21:26

  • 400 is too low as that makes it non-writable by your own user. 600 is actually recommended as it allows owner read-write not just read. - anyone
  • I discovered today there are times when 400 is relevant. Suppose you have an authorized_keys file that has the no-pty et al features set. If the file is writeable, the user can actually overwrite the authorized_keys file and gain interactive shell access! Something to keep in mind, though surely not the general case for most folks. - anyone
  • AWS actually recommends permission 400 on their website. That's what I did on OS X and it worked. - anyone
  • This definitely works and is more secure. The only downside is you then have to change it to 600 to edit. For id_rsa, and id_rsa.pub I doubt that matters because you rarely ever will edit those files, but for authorized_keys, it could be annoying. Best to understand the tradeoffs and configure each system appropriately. - anyone
  • I suppose it also depends on how often you're editing them. Many people set it and forget it, thus 400 would be more secure from others and your own actions; modifying to 600 when necessary. If it's part of your workflow and your ssh-savy, then maybe it would be more of a hindrance to keep changing permissions. - anyone

Using Cygwin in Windows 8.1, there is a command need to be run:

chgrp Users ~/.ssh/id_rsa

Then the solution posted here can be applied, 400 or 600 is OK.

chmod 600 ~/.ssh/id_rsa

Reference here

Answered   2023-09-20 20:21:26

  • locale-dependent. I had to run "chgrp Użytkownicy ~/.ssh/id_rsa" since "Users" errored no such group. - anyone
  • I had to do this as well. My cygwin directory was in the default location (C:\cygwin64) so it probably inherited the permissions. Strange that this didn't happen on other laptops I've owned. - anyone
  • @Marcos I've added an answer that works regardless of locale: stackoverflow.com/a/28647713/67013 - anyone
  • Windows 10. Used the second command only. Worked like a charm. - anyone
  • Note that for installations in alternative languages the 'Users' group has alternative identifiers. - anyone

I've got the error in my windows 10 so I set permission as the following and it works.

Permission for id_rsa of windows 10

In details, remove other users/groups until it has only 'SYSTEM' and 'Administrators'. Then add your windows login into it with Read permission only.

Note the id_rsa file is under the c:\users\<username> folder.

Answered   2023-09-20 20:21:26

  • I have the same problem on Win-10. Based on your explanation, not clear what did you actually allowed and denied - I have "users' and 'authenticated users' and Not 'specific user" as options + System and Administrators. Besides I could not figure out cygwin - to install or use.(?) - anyone
  • for Win10 need move your key to user's home - this worked perfectly. I was trying giving full path to key and messing with the permissions - nothing worked. - anyone
  • @Sam-T if you cannot see your name in list, you can add by press Edit... then press Add... then type your name in the text box "Enter the object names to select" then press Check Names button (and press OK and another OK) then your name should be listed in the Security tab - anyone
  • I probably can add the name specifically - per your instructions. But my main question was - what exact permissions to Deny and Allow for all. Meanwhile as mentioned I was able to solve the problem by simply adding the .pem to the myuser directory - anyone
  • Oh thank you. This worked perfectly on windows 10, I was trying to achive this for weeks. - anyone

The locale-independent solution that works on Windows 8.1 is:

chgrp 545 ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa

GID 545 is a special ID that always refers to the 'Users' group, even if you locale uses a different word for Users.

Answered   2023-09-20 20:21:26

Windows 10 ssh into Ubuntu EC2 “permissions are too open” error on AWS

I had this issue trying to ssh into an Ubuntu EC2 instance using the .pem file from AWS.

In windows this worked when I put this key in a folder created under the .ssh folder

C:\Users\USERNAME\.ssh\private_key

To change permission settings in Windows 10 :

File Settings > Security > Advanced

Disable inheritance

Convert Inherited Permissions Into Explicit Permissions

Remove all the permission entries except for Administrators

Could then connect securely.

Answered   2023-09-20 20:21:26

  • That was really helpful! Thanks! - anyone
  • moving the private key under .ssh was enough for me (and chmod 600) - anyone

AFAIK the values are:

  • 700 for the hidden directory .ssh where key files are located

  • 600 for the keyfile id_rsa

Answered   2023-09-20 20:21:26

0600 is what mine is set at (and it's working)

Answered   2023-09-20 20:21:26

I have got a similar issue when i was trying to login to remote ftp server using public keys.
To solve this issue I have done the following process:

  • First find the location of the public keys, because when you try to login to ftp, this public key is used.
  • Alternatively, you can create a key and set that key's permissions to 600.
  • Make sure you are in the correct location and perform this command:
chmod 600 id_rsa

Answered   2023-09-20 20:21:26

On Windows 10, cygwin's chmod and chgrp weren't enough for me. I had to

  • right click on the file
  • -> Properties
  • -> Security (tab)
  • and remove all users and groups except for my active user.

Answered   2023-09-20 20:21:26

  • This is only solution that is working :) Thanks you saved my time - anyone
  • I found that, after doing this, I could do ssh from normal Windows command prompt as well. No need to use Cygwin. Great! - anyone

I got success with sudo

sudo chmod 400 pem-file.pem
sudo ssh -i pem-file.pem username@X.X.X.X

Answered   2023-09-20 20:21:26

  • the only things that worked for me - anyone
  • sudo is the only thing that worked out of all - anyone
  • Using windows wsl and this worked! - anyone
  • Same it work for me in windows 11. Thanks - anyone

provide 400 permission, execute below command

chmod 400 /Users/username/.ssh/id_rsa

enter image description here

Answered   2023-09-20 20:21:26

There is one exception to the 0x00 permissions requirement on a key. If the key is owned by root and group-owned by a group with users in it, then it can be 0440 and any user in that group can use the key.

I believe this will work with any permissions in the set 0xx0 but I haven't tested every combination with every version. I have tried 0660 with 5.3p1-84 on CentOS 6, and the group not the primary group of the user but a secondary group, and it works fine.

This would typically not be done for someone's personal key, but for a key used for automation, in a situation where you don't want the application to be able to mess with the key.

Similar rules apply to the .ssh directory restrictions.

Answered   2023-09-20 20:21:26

For windows users Only. Goto file property --> security --> advanced

  1. Disable inheritance property
  2. Convert Inherited Permissions Into Explicit Permissions.
  3. Remove all the permission entries except the Administrators. enter image description here

enter image description here

Answered   2023-09-20 20:21:26

This is what worked for me (on mac)

sudo chmod 600 path_to_your_key.pem 

then :

ssh -i path_to_your_key user@server_ip

Hope it help

Answered   2023-09-20 20:21:26

In case you are using WSL on windows

The most simple answer is to just type: sudo ssh -i keyfile.pem <user>@ip

without changing the file permissions. The reason why this happens? Another resource

You can't modify the permissions of files on Windows's filesystem using chmod on Bash on Ubuntu on Windows. You'll have to copy the private key to your WSL home directory (~) and do it there.


On the other hand, sudo should never be utilized with ssh. The reason why issuing with sudo works is that it's now likely being executed as root, and this is not the correct way to do this and is a massive security risk, as Allowing for anything other the 600/400 permissions defeats the purpose of utilizing an SSH key, compromising the security of the key.

The best way to do that is by copying the file to $HOME/.ssh:

cp keyfile.pem ~/.ssh

Doing sudo chmod 400 keyfile.pem to it.

Then ssh -i keyfile.pem <user>@ip.

Answered   2023-09-20 20:21:26

  • Bingo (on Windows 10 WSL)! It's nice to chmod Windows files from WSL Linux as folk tried here, but clearly still problematical and shifting sands over time. Moving the .pem private key to Linux where running SSH from makes total sense, and it works - and without any chmod or chgrp. Thank you (phew, BTW!). - anyone

I got same issue after migration from another mac. And it blocked to connect github by my key.

I reset permission as below and it works well now.

chmod 700 ~/.ssh     # (drwx------)
cd ~/.ssh            
chmod 644 *.pub      # (-rw-r--r--)
chmod 600 id_rsa     # (-rw-------)

Answered   2023-09-20 20:21:26

  • I got the same error with these: Permissions 0644 for '.../...pub' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. - anyone

For me (using the Ubuntu Subsystem for Windows) the error message changed to:

 Permissions 0555 for 'key.pem' are too open

after using chmod 400. It turns out that using root as a default user was the reason.

Change this using the cmd:

 ubuntu config --default-user your_username

Answered   2023-09-20 20:21:26

for Windows :

Strange, but UI tweaks, described here before did not helped me.

But this solved the issue :

  1. Open PowerShell under admin rights
  2. Go to directory with your keys (using cd command)
  3. Enter commands one by one

:

$path = ".\{your private key file name}" //for example "myKey"

Then remove your explicit permissions by typing:

icacls.exe $path /reset

Then assign to current user read-permission:

icacls.exe $path /GRANT:R "$($env:USERNAME):(R)"

Then remove inheritance:

icacls.exe $path /inheritance:r

Hope, will help someone

enter image description here

Answered   2023-09-20 20:21:26

Simply use the following:

sudo chmod 600 [Location of Private Key]/[Name of Private Key]
sudo chmod 700 [Location of Folder Containing Private Key]/[Name of Folder Conataining Private Key]
sudo ssh -v -i key.pem ubuntu@instance.re-region-1.compute.amazonaws.com

Answered   2023-09-20 20:21:26

what worked for me

chgrp Users FOLDER

chmod 600 FOLDER

Answered   2023-09-20 20:21:26

700  folder
644  id_rsa.pub

this works for me.

Answered   2023-09-20 20:21:26

As people have said, in Windows, I just dropped my .pem file in C:\Users\[user]\.ssh\ and that solved it. Although you can do chmod and other command line options from a bash or powershell prompt that didn't work. I didn't change rsa or anything else. Then when running the connection you have to put the path to the pem file in the .ssh folder:

ssh -i "C:\Users\[user]\.ssh\ubuntukp01.pem" ubuntu@ec[ipaddress].us-west-2.compute.amazonaws.com

Answered   2023-09-20 20:21:26

I keep all my own certificates and keys in one directory, and this works for tools like PuTTY, but I got this too open error message from the scp command. I discovered that Windows already maintains a C:\users\ACCOUNTNAME\.ssh folder having the proper access rights for storing SSH keys. So long as you keep the contents backed up (Windows sometimes deletes it during updates), or create your own folder for ssh keys in your user folder, this will work fine, as only you and the administrators have access to that parent folder.

Be very careful about changing access rights on Windows folders. I did this, and once a day Windows is scanning, reading, and writing all the files on my C: drive, a process that slows the computer for many minutes.

Answered   2023-09-20 20:21:26

Interesting message here. Operating Systems are smart enough to deny remote connections if your private key is too open. It understands the risk where permissions for id_rsa is wide open (read, is editable by anyone).

{One may change your lock first and then open it with the keys he already has}

cd ~/.ssh
chmod 400 id_rsa

While working on the multiple servers (non-production), most of us feel need to connect remote server with ssh. A good idea is to have a piece of application level code (may be java using jsch) to create ssh trusts between servers. This way connection will be password-less. Incase, perl is installed - one may use net ssh module too.

Answered   2023-09-20 20:21:26

The other trick is to do that on the downloads folder. After you download the private key from AWS EC2 instance, the file will be in this folder,then simply type the command

ssh-keygen -y -f myprivateKey.pem > mypublicKey.pub

Answered   2023-09-20 20:21:26

I am using Windows 10 and trying to connect to EC2 instance via SSH. Rather than using Cygwin for Windows, try using Git Bash. After doing chmod 400 for key I am able to SSH into the EC2 instance, but the same is not working for me from Cygwin. Windows treats the .pem file as coming from internet and blocks it, even disabling inheritance doesn't work.

I converted the file to .ppk format and it's working fine from PuTTY also, but it's not working from Cygwin.

Answered   2023-09-20 20:21:26

  • Problems using ssh in Cygwin can be due to ssh not being installed in Cygwin. The default path in Cygwin includes the Windows version of ssh, so if you type "ssh ..." in Cygwin you might assume that the ssh command is one that (should go) with Cygwin. But if ssh is not installed in Cygwin, typing "ssh ..." invokes the Windows version instead. - anyone

In addition to the accepted answer, if you have done all the suggested means, and you are using "wsl" ubuntu on windows, you can append "sudo" to your ssh command e.g

sudo ssh -i xxx.pem xxxx@xxxx.compute-1.amazonaws.com

Answered   2023-09-20 20:21:26

For Windows 10 this is what I've found works for me:

  1. Move your key to the Linux file system: mv ~/.ssh /home/{username}
  2. Set the permission on that key: chmod 700 /home/{username}/.ssh/id_rsa
  3. Create a symbolic link to the key: ln -s /home/{username}/.ssh ~/.ssh

This happens if you have set your home directory (~) to be stored in Windows instead of Linux (under /mnt/ vs /home/).

Answered   2023-09-20 20:21:26

In my case the issue was a whitespace too much.

ssh -i mykey.pem  ubuntu@instace.eu-north-1.compute.amazonaws.com

but

ssh -i mykey.pem ubuntu@instace.eu-north-1.compute.amazonaws.com

worked fine. The problem is that the whitespace is taken as part of the username.

Answered   2023-09-20 20:21:26

I was getting this issue on WSL on Windows while connecting to AWS instance. My issue got resolved by switching to classic Command prompt. You can try switching to a different terminal interface and see if that helps.

Answered   2023-09-20 20:21:26