Windows CHMOD 600
I'm trying to connect to Amazon EC2 using OpenSSH in windows but I need to set the permissions of my key file.
What is the wind开发者_如何学Cows equivalent of CHMOD 600
?
I've googled extensively and found only blogspam.
EDIT: Windows 7, using DOS.
I ran into the same problem on windows 10. I fixed it by doing the following steps.
1:- Right-click on the target file and select properties
then select Security
Tab
2:- Click Advanced
and then make sure inheritance is disabled.
3:- Click apply
and then click Edit
in the security menu
4:- Remove
all users except Admin user, which should have full control
*Admin account should have all checkboxes checked on Allow
column except
special permission.
5:- Click Apply
and then click OK.
You are good to go.
This worked for Amazon EC2 .pem
file and gave almost the same working as Chmod 600 on Linux.
I realize this is somewhat old but I just found the solution for myself in Windows 7. And it looks like this question went unresolved. I had all of the same errors including Cygwin missing cygintl-2.dll
on chmod
as you noted in the comments.
After extensive research and not finding any answers I ran:
C:\Users\mztriz\.ssh>ssh -v
OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004 usage: ssh [-1246AaCfghkNnqsTtVvXxY] [-b bind_address] [-c cipher_spec] [-D port] [-e escape_char] [-F configfile] [-i identity_file] [-L port:host:hostport] [-l login_name] [-m mac_spec] [-o option] [-p port] [-R port:host:hostport] [user@]hostname [command]
As you can see the version of OpenSSH I was running was quite outdated. However, I didn't know this because a quick google search of OpenSSH for Windows
returns this old version.
After looking into the versioning I found OpenSSH for Windows 6.9p1-1 in the downloads section of that website.
This newer version of OpenSSH seems to fix all of the issues you mention.
Right-click on the file/dir, select Properties then Security. Click Advanced, then Edit. Uncheck "Inheritable" and choose "Remove" in the dialog. Remove any explicit permissions left, add a "Full Access" permission to your username.
Modify the permissions so that:
- The key file doesn't inherit from the container
- You (the owner) have full access
- Remove permission entries for any other users (e.g., SYSTEM, Administrator)
- Add an Entry for special user Everyone and edit the permissions for that user to Deny for all permissions:
- Right click on the file in Windows Explorer and choose Properties > Security > Advanced, to get the Advanced Security Settings dialog.
- Click on the Permissions tab, then click Change Permissions.
- Click Add, enter Everyone into the object name field, click Check Names, then click OK.
- In the Permission Entry dialog, click the checkbox in the Deny column for Full Control.
- Click OK on each dialog to back out and close the file's properies dialog.
Now scp will read permissions 0400 and will be happy. Ish.
For unix & OSX
Quite simply:
chown -R $USER:users ~/.ssh/
chmod -R 600 ~/.ssh/
For Windows
If the file is a windows (NTFS) symbolic link, the above won't work. You need to make it a regular file. I am not sure why.
If you don't have openssh or cygwin, use chocolatey to install it easily using chocolatey.
choco install cyg-get
Open Cygwin Terminal that was installed with chocolatey and run (note that ssh-keygen
creates new keys):
cyg-get install openssh
ssh-keygen
cd ~/.ssh && explorer.exe .
Verify keys are there (or replace them with the keys you want), and then in Cygwin shell:
chown -R $USER:users ~/.ssh/
chmod -R 600 ~/.ssh/
Or for the rare case that you're using (and generated the keys from) chocolatey's SSH package:
chown -R $USER:users /cygdrive/c/Users/$USER/.ssh
chmod -R 600 /cygdrive/c/Users/$USER/.ssh
I've go same issue. The solution, which worked was to set compatibility mode of ssh.exe to Windows XP SP3.
chmod won't work in windows. Try the following method to restrict the access
- Right click on the file > properties > security > advanced > disable inheritance > 'Convert inherited permissions into explicit permission on this object'
- Click on "allow | everyone | Full Control" > edit > 'select a principal' > type your username > 'check names' > select your username > ok > ok > ok (ok until all windows are closed)
I prefer Cygwin over putty and you can just run chmod command in cygwin to change the permission of PEM key to be 400, then you are good to go.
myuser@myuser-HP ~
$ ssh -i /cygdrive/c/Users/myuser/Downloads/mykey.pem ec2-user@xx.xx.xx.xx
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0550 for '/cygdrive/c/Users/myuser/Downloads/mykey.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/cygdrive/c/Users/myuser/Downloads/mykey.pem": bad permissions
Permission denied (publickey).
myuser@myuser-HP ~
$ chmod
chmod: missing operand
Try 'chmod --help' for more information.
myuser@myuser-HP ~
$ chmod 400 /cygdrive/c/Users/myuser/Downloads/mykey.pem
myuser@myuser-HP ~
$ ssh -i /cygdrive/c/Users/myuser/Downloads/meykey.pem ec2-user@xx.xx.xx.xx
__| __|_ )
_| ( / Amazon Linux AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-ami/2015.09-release-notes/
[ec2-user@ip-xxx ~]$ ohyeah I am in!
Today one of the recommended ways on Windows would be to use PowerShell and the Get-Acl
and Set-Acl
Cmdlets.
Here's an example to ensure that only the current user has permission to a folder and all files in it - similar to what is recommended for the .ssh
folder in Unix/Linux/OS X:
# get current ACL of directory
$Acl = Get-Acl -Path $Directory
# remove inheritance ($true) and remove all existing rules ($false)
$Acl.SetAccessRuleProtection($true,$false)
# create new access rule for
# current user
# with FullControl permission
# enable inheritance for folders and files
# enable it for the specified folder as well
# allow these conditions
$AcessRule = [System.Security.AccessControl.FileSystemAccessRule]::new(
$env:USERNAME,
"FullControl",
([System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit),
[System.Security.AccessControl.PropagationFlags]::None,
[System.Security.AccessControl.AccessControlType]::Allow)
# add access rule to empty ACL
$Acl.AddAccessRule($AcessRule)
# activate ACL on folder
Set-Acl -Path $Directory -AclObject $Acl
For more details see
- FileSystemAccessRule-Class
- Set-Acl documentation
As an analogue of chmod
in Windows, you can use the icacls
command.
Equivalent of chmod 600 <filename>
in windows will be:
# Add explicit R+W permissions for current user.
icacls <filename> /grant %username%:rw
# Disable inheritance from folders
icacls <filename> /inheritance:d
# Remove default groups (Authenticated Users, System, Administrators, Users)
icacls <filename> /remove *S-1-5-11 *S-1-5-18 *S-1-5-32-544 *S-1-5-32-545
To check current permissions:
icacls <filename>
Reset all permissions to default:
icacls <filename> /reset
I've go same issue. The solution, which worked was to set compatibility mode of ssh.exe to Windows XP SP3.
-> This answer works for windows 7
The answer of Chao helped me, because I have WSL installed on my Windows 10.
In WSL (Ubuntu on Windows) I opened a text editor with sudo
and created the file /etc/wsl.conf
with text in it:
[automount]
options = "metadata"
Then rebooted my Windows.
Now I am able to edit file permissions in WSL: chmod 0600
now works!
Not really answering the same question but I was able to connect to EC2 using these instructions:
SSH to EC2 linux instance from Windows
Copy the file to Unix system throug scp and make chmod 600 to file. Then transfer file back to Windows machine. It worked for me.
精彩评论