Windows CHMOD 600

Question

I'm trying to connect to Amazon EC2 using OpenSSH in windows but I need to set the permissions of my key file.

What is the windows equivalent of CHMOD 600?

I've googled extensively and found only blogspam.

EDIT: Windows 7, using DOS.

Answer 1

I ran into the same problem on windows 10. I fixed it by doing the following steps.

1:- Right-click on the target file and select properties then select Security Tab

2:- Click Advanced and then make sure inheritance is disabled.

3:- Click apply and then click Edit in the security menu

4:- Remove all users except Admin user, which should have full control *Admin account should have all checkboxes checked on Allow column except special permission.

5:- Click Apply and then click OK.

You are good to go. This worked for Amazon EC2 .pem file and gave almost the same working as Chmod 600 on Linux.

Answer 2

I realize this is somewhat old but I just found the solution for myself in Windows 7. And it looks like this question went unresolved. I had all of the same errors including Cygwin missing cygintl-2.dll on chmod as you noted in the comments.

After extensive research and not finding any answers I ran:

C:\Users\mztriz\.ssh>ssh -v

OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004 usage: ssh [-1246AaCfghkNnqsTtVvXxY] [-b bind_address] [-c cipher_spec] [-D port] [-e escape_char] [-F configfile] [-i identity_file] [-L port:host:hostport] [-l login_name] [-m mac_spec] [-o option] [-p port] [-R port:host:hostport] [user@]hostname [command]

As you can see the version of OpenSSH I was running was quite outdated. However, I didn't know this because a quick google search of OpenSSH for Windows returns this old version.

After looking into the versioning I found OpenSSH for Windows 6.9p1-1 in the downloads section of that website.

This newer version of OpenSSH seems to fix all of the issues you mention.

Answer 3

Modify the permissions so that:

• The key file doesn't inherit from the container
• You (the owner) have full access
• Remove permission entries for any other users (e.g., SYSTEM, Administrator)
• Add an Entry for special user Everyone and edit the permissions for that user to Deny for all permissions:
  • Right click on the file in Windows Explorer and choose Properties > Security > Advanced, to get the Advanced Security Settings dialog.
  • Click on the Permissions tab, then click Change Permissions.
  • Click Add, enter Everyone into the object name field, click Check Names, then click OK.
  • In the Permission Entry dialog, click the checkbox in the Deny column for Full Control.
  • Click OK on each dialog to back out and close the file's properies dialog.

Now scp will read permissions 0400 and will be happy. Ish.

Answer 4

Right-click on the file/dir, select Properties then Security. Click Advanced, then Edit. Uncheck "Inheritable" and choose "Remove" in the dialog. Remove any explicit permissions left, add a "Full Access" permission to your username.

Answer 5

For unix & OSX

Quite simply:

chown -R $USER:users ~/.ssh/
chmod -R 600 ~/.ssh/

For Windows

If the file is a windows (NTFS) symbolic link, the above won't work. You need to make it a regular file. I am not sure why.

If you don't have openssh or cygwin, use chocolatey to install it easily using chocolatey.

choco install cyg-get

Open Cygwin Terminal that was installed with chocolatey and run (note that ssh-keygen creates new keys):

cyg-get install openssh
ssh-keygen
cd ~/.ssh && explorer.exe .

Verify keys are there (or replace them with the keys you want), and then in Cygwin shell:

chown -R $USER:users ~/.ssh/
chmod -R 600 ~/.ssh/

Or for the rare case that you're using (and generated the keys from) chocolatey's SSH package:

chown -R $USER:users  /cygdrive/c/Users/$USER/.ssh
chmod -R 600 /cygdrive/c/Users/$USER/.ssh

Answer 6

I've go same issue. The solution, which worked was to set compatibility mode of ssh.exe to Windows XP SP3.

Answer 7

chmod won't work in windows. Try the following method to restrict the access

• Right click on the file > properties > security > advanced > disable inheritance > 'Convert inherited permissions into explicit permission on this object'
• Click on "allow | everyone | Full Control" > edit > 'select a principal' > type your username > 'check names' > select your username > ok > ok > ok (ok until all windows are closed)

Answer 8

As an analogue of chmod in Windows, you can use the icacls command.

Equivalent of chmod 600 <filename> in windows will be:

# Add explicit R+W permissions for current user.
icacls <filename> /grant %username%:rw
# Disable inheritance from folders
icacls <filename> /inheritance:d
# Remove default groups (Authenticated Users, System, Administrators, Users)
icacls <filename> /remove *S-1-5-11 *S-1-5-18 *S-1-5-32-544 *S-1-5-32-545

To check current permissions: icacls <filename>

Reset all permissions to default: icacls <filename> /reset

Answer 9

I prefer Cygwin over putty and you can just run chmod command in cygwin to change the permission of PEM key to be 400, then you are good to go.

myuser@myuser-HP ~
$ ssh -i /cygdrive/c/Users/myuser/Downloads/mykey.pem ec2-user@xx.xx.xx.xx
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0550 for '/cygdrive/c/Users/myuser/Downloads/mykey.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/cygdrive/c/Users/myuser/Downloads/mykey.pem": bad permissions
Permission denied (publickey).

myuser@myuser-HP ~
$ chmod
chmod: missing operand
Try 'chmod --help' for more information.

myuser@myuser-HP ~
$ chmod 400 /cygdrive/c/Users/myuser/Downloads/mykey.pem

myuser@myuser-HP ~
$ ssh -i /cygdrive/c/Users/myuser/Downloads/meykey.pem ec2-user@xx.xx.xx.xx

       __|  __|_  )
       _|  (     /   Amazon Linux AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-ami/2015.09-release-notes/
[ec2-user@ip-xxx ~]$ ohyeah I am in!

Answer 10

Today one of the recommended ways on Windows would be to use PowerShell and the Get-Acl and Set-Acl Cmdlets.

Here's an example to ensure that only the current user has permission to a folder and all files in it - similar to what is recommended for the .ssh folder in Unix/Linux/OS X:

# get current ACL of directory
$Acl = Get-Acl -Path $Directory

# remove inheritance ($true) and remove all existing rules ($false)
$Acl.SetAccessRuleProtection($true,$false)

# create new access rule for
# current user
# with FullControl permission
# enable inheritance for folders and files
# enable it for the specified folder as well
# allow these conditions 
$AcessRule = [System.Security.AccessControl.FileSystemAccessRule]::new(
    $env:USERNAME,
    "FullControl",
    ([System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit),
    [System.Security.AccessControl.PropagationFlags]::None,
    [System.Security.AccessControl.AccessControlType]::Allow)

# add access rule to empty ACL
$Acl.AddAccessRule($AcessRule)

# activate ACL on folder
Set-Acl -Path $Directory -AclObject $Acl

For more details see

• FileSystemAccessRule-Class
• Set-Acl documentation

Answer 11

I've go same issue. The solution, which worked was to set compatibility mode of ssh.exe to Windows XP SP3.

-> This answer works for windows 7

Answer 12

Copy the file to Unix system throug scp and make chmod 600 to file. Then transfer file back to Windows machine. It worked for me.

Answer 13

The answer of Chao helped me, because I have WSL installed on my Windows 10.

In WSL (Ubuntu on Windows) I opened a text editor with sudo and created the file /etc/wsl.conf with text in it:

[automount]
options = "metadata"

Then rebooted my Windows.

Now I am able to edit file permissions in WSL: chmod 0600 now works!

Answer 14

I would have liked to comment the response from @GeniyX to complement it but I still cannot comment :(

FROM @GeniyX:

# Add explicit R+W permissions for current user.
# <> characters are not needed (the name of my pem is "JPCloud.pem"), also from %username%, the %% characters are not needed (my user us "Josepe", in my case it was like this: (first used cd command to go the folder) 
# icacls JPCloud.pem /grant Josepe:rw
icacls <filename> /grant %username%:rw

# Disable inheritance from folders
#nothing to add here, again <> characters are not needed
icacls <filename> /inheritance:d
# Remove default groups (Authenticated Users, System, Administrators, Users)
icacls <filename> /remove *S-1-5-11 *S-1-5-18 *S-1-5-32-544 *S-1-5-32-545

For those like me that were lost about the numbers at the end

(WHAT DO THE NUMBERS MEAN JASON???!"?!?)

well here is the anwser: https://learn.microsoft.com/es-es/windows-server/identity/ad-ds/manage/understand-security-identifiers they are security identifiers:

S-1-5-11 is for authenticated users

S-1-5-18 is for LocalSystem

S-1-5-32-545 is for the default group of "admins"

S-1-5-32-545 is for the default group of "users"

The only thing I do not understand is the * at the beginning of each security identifier (but I imagine that is used to give more than 1 parameter to the command...)

Answer 15

Not really answering the same question but I was able to connect to EC2 using these instructions:

SSH to EC2 linux instance from Windows