Latest update

6/recent/ticker-posts

Bad Owner or Permissions on SSH Config Windows 10

Lately, I have been working a lot with SSH and Windows 10, for one transitioning away from WMI for certain things, hopefully, a blog post coming on that front soon. Setting up SSH on Windows 10 is fairly simple to do, but it is one of those processes that can be wrought with missteps and misinformation from various places. As a case in point, you may receive permissions issues on a private key connecting to Windows 10. Why is this? Let’s take a look at bad owner or permissions on SSH config Windows 10 and see what this relates to.

Public key authentication with Windows 10

First of all, if you see this error mentioned in the title of the blog post, it means you are most likely attempting to configure public key authentication to access your OpenSSH installed and configured in Windows 10. Why do you want to configure public key authentication?

learn about OpenSSH in general here:

Public key authentication is noted as a more secure way to authenticate to an OpenSSH server. Why is this? With public-key authentication, you have two parts of a cryptographic key that grants access. It includes both a private key and a public key. The SSH server possesses the public key of the key pair, while you as the user possess the private key. In addition to passing the physical private key file, you can also secure the private key with a password.

So, it is easy to understand how this type of authentication is much more secure. As far as the cryptographic key is concerned, an attacker can’t simply brute force the server to guess a weak, guessable, or cracked password to gain access. They have to have possession of the key and know the password if the private key is secured with one.

SSH clients have also come a long way in recognizing when there may be bad ideas in play when it comes to private key files. If the permissions contain other security permissions on the private key file other than the user that should possess those permissions, the key can be more easily compromised.

Many SSH clients check for the permissions configured on the SSH private key and if these are too permissive, it will not be allowed for use to make the SSH connection. Note the following error seen when trying to SSH into a remote Windows 10 machine with wide-open permissions on the private key file:

Unprotected private key file error
Unprotected private key file error

The error above states the issue: Permissions for the key file are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored.

Bad Owner or Permissions on SSH Config Windows 10

To get past the Bad Owner or Permissions on SSH Config Windows 10 error, you need to configure three things:

  • Permissions on the authorized_keys file
  • Permissions on your private key file
  • sshd_config file changes

Permissions on the authorized_keys file

Part of the process to properly configure your Windows 10 SSH session for public-key authentication is ensuring the permissions are set correctly, both on the authorized_keys file (holds public key) and the private key file that holds the private key side of your key pair. Let’s take a look at both.

When you enable OpenSSH on your Windows 10 machine, you need to create the .ssh directory in the user profile of the user you will be logging in with. This is the location OpenSSH looks to find the authorized public keys, and by extension, the paired private keys that are allowed to access the machine.

By default, when you create the directory and the authorized_keys file, it will have too many permissions assigned. As you can see, it will have the local Administrators group added to the file. Click Advanced.

Permissions set by default on the authorized keys file
Permissions set by default on the authorized keys file

Here, we need to disable inheritance. This breaks inheritance on the folder and allows you to set explicit permissions.

Disable permissions inheritance
Disable permissions inheritance

Choose the option Convert inherited permissions into explicit permissions on this object.

Convert inherited permissions to explicit permissions
Convert inherited permissions to explicit permissions

Adjust your permissions so that you only have SYSTEM and your username displayed as having permissions on the authorized_keys file.

Remove all permissions except SYSTEM and your user
Remove all permissions except SYSTEM and your user

Permissions on your private key file

Now, on your private key, you need to ensure the same thing is set. The user that you are logged in with and SYSTEM are the only permissions that need to be enumerated on the private key file.

Setting permissions on the SSH private key
Setting permissions on the SSH private key

sshd_config file changes

Now that we have the permissions set correctly on the authorized_keys file and the private key, we need to make sure the sshd_config file is configured correctly. We need to make three changes for this to work correctly:

Below, I have uncommented the PubeyAuthentication yes stanza. Then, we have commented out the PasswordAuthentication yes and Match Group administrators configuration.

PubkeyAuthentication yes
#PasswordAuthentication yes
#Match Group administrators
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

Be sure to restart your OpenSSH SSH Server service on your Windows 10 machine after making these changes to the sshd_config file. Once the changes are in place, you should be able to connect to the machine via SSH.

Restart the OpenSSH Server service
Restart the OpenSSH Server service

Wrapping Up

Connecting to Windows 10 via SSH is a great way to make secure connections to Windows 10 when public-key authentication is used. It can also be a great way to use solutions like Ansible to connect to your Windows 10 boxes remotely.

Post a Comment

0 Comments