Windows CHMOD 600

I'm trying to connect to Amazon EC2 using OpenSSH in windows but I need to set the permissions of my key file.

What is the windows equivalent of CHMOD 600?

I've googled extensively and found only blogspam.

EDIT: Windows 7, using DOS.

I realize this is somewhat old but I just found the solution for myself in Windows 7. And it looks like this question went unresolved. I had all of the same errors including Cygwin missing cygintl-2.dll on chmod as you noted in the comments.

After extensive research and not finding any answers I ran:

C:\Users\mztriz\.ssh>ssh -v

> OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004 > usage: ssh [-1246AaCfghkNnqsTtVvXxY] [-b bind_address] [-c cipher_spec] > [-D port] [-e escape_char] [-F configfile] [-i identity_file] > [-L port:host:hostport] [-l login_name] [-m mac_spec] [-o option] > [-p port] [-R port:host:hostport] [user@]hostname [command]

As you can see the version of OpenSSH I was running was quite outdated. However, I didn't know this because a quick google search of OpenSSH for Windows returns this old version.

After looking into the versioning I found OpenSSH for Windows 6.9p1-1 in the downloads section of that website.

This newer version of OpenSSH seems to fix all of the issues you mention.

I ran into the same problem on windows 10. I fixed it by doing the following steps.

1:- Right-click on the target file and select properties then select Security Tab

2:- Click Advanced and then make sure inheritance is disabled.

3:- Click apply and then click Edit in the security menu

4:- Remove all users except Admin user, which should have full control *Admin account should have all checkboxes checked on Allow column except special permission.

5:- Click Apply and then click OK.

You are good to go. This worked for Amazon EC2 .pem file and gave almost the same working as Chmod 600 on Linux.

Modify the permissions so that:

• The key file doesn't inherit from the container
• You (the owner) have full access
• Remove permission entries for any other users (e.g., SYSTEM, Administrator)
• Add an Entry for special user Everyone and edit the permissions for that user to Deny for all permissions:
  • Right click on the file in Windows Explorer and choose Properties > Security > Advanced, to get the Advanced Security Settings dialog.
  • Click on the Permissions tab, then click Change Permissions.
  • Click Add, enter Everyone into the object name field, click Check Names, then click OK.
  • In the Permission Entry dialog, click the checkbox in the Deny column for Full Control.
  • Click OK on each dialog to back out and close the file's properies dialog.

Now scp will read permissions 0400 and will be happy. Ish.

Right-click on the file/dir, select Properties then Security. Click Advanced, then Edit. Uncheck "Inheritable" and choose "Remove" in the dialog. Remove any explicit permissions left, add a "Full Access" permission to your username.

For unix & OSX

Quite simply:

chown -R $USER:users ~/.ssh/
chmod -R 600 ~/.ssh/

For Windows

If the file is a windows (NTFS) symbolic link, the above won't work. You need to make it a regular file. I am not sure why.

If you don't have openssh or cygwin, use chocolatey to install it easily using chocolatey.

choco install cyg-get

Open Cygwin Terminal that was installed with chocolatey and run (note that ssh-keygen creates new keys):

cyg-get install openssh
ssh-keygen
cd ~/.ssh && explorer.exe .

Verify keys are there (or replace them with the keys you want), and then in Cygwin shell:

chown -R $USER:users ~/.ssh/
chmod -R 600 ~/.ssh/

Or for the rare case that you're using (and generated the keys from) chocolatey's SSH package:

chown -R $USER:users  /cygdrive/c/Users/$USER/.ssh
chmod -R 600 /cygdrive/c/Users/$USER/.ssh

I've go same issue. The solution, which worked was to set compatibility mode of ssh.exe to Windows XP SP3.

I prefer Cygwin over putty and you can just run chmod command in cygwin to change the permission of PEM key to be 400, then you are good to go.

myuser@myuser-HP ~
$ ssh -i /cygdrive/c/Users/myuser/Downloads/mykey.pem [email protected]
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0550 for '/cygdrive/c/Users/myuser/Downloads/mykey.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/cygdrive/c/Users/myuser/Downloads/mykey.pem": bad permissions
Permission denied (publickey).

myuser@myuser-HP ~
$ chmod
chmod: missing operand
Try 'chmod --help' for more information.

myuser@myuser-HP ~
$ chmod 400 /cygdrive/c/Users/myuser/Downloads/mykey.pem

myuser@myuser-HP ~
$ ssh -i /cygdrive/c/Users/myuser/Downloads/meykey.pem [email protected]

       __|  __|_  )
       _|  (     /   Amazon Linux AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-ami/2015.09-release-notes/
[ec2-user@ip-xxx ~]$ ohyeah I am in!

chmod won't work in windows. Try the following method to restrict the access

• Right click on the file > properties > security > advanced > disable inheritance > 'Convert inherited permissions into explicit permission on this object'
• Click on "allow | everyone | Full Control" > edit > 'select a principal' > type your username > 'check names' > select your username > ok > ok > ok (ok until all windows are closed)

Today one of the recommended ways on Windows would be to use PowerShell and the Get-Acl and Set-Acl Cmdlets.

Here's an example to ensure that only the current user has permission to a folder and all files in it - similar to what is recommended for the .ssh folder in Unix/Linux/OS X:

# get current ACL of directory
$Acl = Get-Acl -Path $Directory

# remove inheritance ($true) and remove all existing rules ($false)
$Acl.SetAccessRuleProtection($true,$false)

# create new access rule for
# current user
# with FullControl permission
# enable inheritance for folders and files
# enable it for the specified folder as well
# allow these conditions 
$AcessRule = [System.Security.AccessControl.FileSystemAccessRule]::new(
    $env:USERNAME,
    "FullControl",
    ([System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit),
    [System.Security.AccessControl.PropagationFlags]::None,
    [System.Security.AccessControl.AccessControlType]::Allow)
    
# add access rule to empty ACL
$Acl.AddAccessRule($AcessRule)

# activate ACL on folder
Set-Acl -Path $Directory -AclObject $Acl

For more details see

• FileSystemAccessRule-Class
• Set-Acl documentation

I've go same issue. The solution, which worked was to set compatibility mode of ssh.exe to Windows XP SP3.

-> This answer works for windows 7

As an analogue of chmod in Windows, you can use the icacls command.

Equivalent of chmod 600 <filename> in windows will be:

# Add explicit R+W permissions for current user.
icacls <filename> /grant %username%:rw
# Disable inheritance from folders
icacls <filename> /inheritance:d
# Remove default groups (Authenticated Users, System, Administrators, Users)
icacls <filename> /remove *S-1-5-11 *S-1-5-18 *S-1-5-32-544 *S-1-5-32-545

To check current permissions: icacls <filename>

Reset all permissions to default: icacls <filename> /reset

Not really answering the same question but I was able to connect to EC2 using these instructions:

https://stackoverflow.com/questions/5264945/ssh-to-ec2-linux-instance-from-windows

Copy the file to Unix system throug scp and make chmod 600 to file. Then transfer file back to Windows machine. It worked for me.