SSH keys and Windows

Connecting to a remote server from Windows should not be a problem. In theory. If we generate a key pair via PuttyGen we will encounter a problem with an incorrect format. In addition, we need to ensure that the file is properly accessed.

Using Windows and trying to connect to the server with a new key pair, I received the following message. I was not aware that only the user who uses the key file should have access to it. In Windows, by default access is still granted to System Administrators and a few other groups. As it turned out, it was not possible to change this manually. Stackoverflow came to the rescue.

PS C:\Users\Piszu> ssh [email protected] -i C:\SSH_keys\piszu.ppk
Ubuntu 20.04.4 LTS
Permissions for 'C:\\SSH_keys\\piszu.ppk' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "C:\\SSH_keys\\piszu.ppk": bad permissions

// solution
# Create New Variable:
New-Variable -Name Key -Value "$env:C:\SSH_keys\piszu.ppk"

# Remove Inheritance:
Icacls $Key /c /t /Inheritance:d

# Set Ownership to Owner:
  # Key's within $env:UserProfile:
  Icacls $Key /c /t /Grant ${env:UserName}:F

  # Key's outside of $env:UserProfile:
  TakeOwn /F $Key
  Icacls $Key /c /t /Grant:r ${env:UserName}:F

# Remove All Users, except for Owner:
  Icacls $Key /c /t /Remove:g Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users

# Verify:
  Icacls $Key

# Remove Variable:
  Remove-Variable -Name Key

The second problem that surprised me was the format of the key. To connect from the console, you need a key in openssh format, whereas PuttyGen does not generate one by default. This was manifested by the following message. The steps to follow were to load a private key in PuttyGen, then under Conversions select „Export OpenSSH and export your private key”.

PS C:\Users\Piszu> ssh [email protected] -i C:\SSH_keys\piszu.ppk
Ubuntu 20.04.4 LTS
Load key "C:\\SSH_keys\\piszu.ppk": invalid format

Dodaj komentarz

Twój adres e-mail nie zostanie opublikowany. Wymagane pola są oznaczone *