Server Bug Fix: can not receive ssh connections from outside my ISP

Original Source Link

I have a ISP that provides me only the ports after 1024 so I forwarded the port 1665 to receive ssh connections. Using the WAN IP they provide me I can only get connections from users from the same ISP.
This looks like I am kinda “trapped” in a big LAN. In this case how can I receive ssh connections from outside this ISP?

Obs.: I unsuccessfully tried to use all the IPs given by https://myip.com.

The big question is if you have a truly public IP assigned to you or are you behind your carrier’s NAT. If it’s the first, you should be able to connect to your router from anywhere outside of your network. You can see if it’s a public IP or carrier NAT by looking through your router’s configuration and checking if the public IP it has matches the one a “what’s my ip” search would give you. NAT IPs usually start with 100.xxx.xxx.xxx. You can also call your ISP and tell them you need a public IP because you installed security cameras in your house and need to access them from the outside (this is actually really effective).

If there is no option to have a public IP for you, you can check out NGrok, they give you a “reverse tunnel” that enables you to connect to any host in any network.

Most likely your operator is using Carrier Grade NAT to have more customers per public IP.

If your WAN address starts with 100.64100.127, it means your operator is using CGNAT.

With CGNAT, it is impossible to host any services to public internet.

You need to either use IPv6 or switch to an operator that does not use CGNAT.

Tagged : /

Linux HowTo: How to setup proxy jump with PuTTY

Original Source Link

In GNU/Linux I find it very easy to perform the following, but I am struggling to get our Windows users to connect via the same method.

The following is what I do on GNU/Linux. Can you please demonstrate how to do the same in Windows. We currently use PuTTY. Is there an alternative?

GNU/LINUX

The raw command without any configuration set up looks like this:

ssh -J <jump-user>@<jump-host> <protected-user>@<protected-host>

An SSH config can be created at ~/.ssh/config that looks like this:

Host jump
    User <jump-user>
    HostName <jump-host>
Host protected
    User <protected-user>
    HostName <protected-host>
    ProxyJump jump

You can then ssh like this:
ssh protected

PuTTY does not have a direct equivalent of -J/ProxyJump.

But there are two alternatives (while a bit more complicated to set up):


Apart from PuTTY, there’s also Microsoft build of OpenSSH for Windows. On Windows 10 version 1803 or newer, OpenSSH is built-in. On older versions of Windows 10, you can install it as an “Optional Feature” named “OpenSSH Client”. On you can just download a ZIP package. The client tools do not need any installation, you can just extract them.

What I’ve done in putty is set the host to the jump machine. Then in Connection -> SSH I set the remote command to ssh -Y <protected-user>@<protected-machine>. Not quite the same thing, but it instructs putty to immediately run the SSH command upon login and when I close that, the whole thing closes down because that command will have completed.

Tagged : / / /

Making Game: How to setup proxy jump with PuTTY

Original Source Link

In GNU/Linux I find it very easy to perform the following, but I am struggling to get our Windows users to connect via the same method.

The following is what I do on GNU/Linux. Can you please demonstrate how to do the same in Windows. We currently use PuTTY. Is there an alternative?

GNU/LINUX

The raw command without any configuration set up looks like this:

ssh -J <jump-user>@<jump-host> <protected-user>@<protected-host>

An SSH config can be created at ~/.ssh/config that looks like this:

Host jump
    User <jump-user>
    HostName <jump-host>
Host protected
    User <protected-user>
    HostName <protected-host>
    ProxyJump jump

You can then ssh like this:
ssh protected

PuTTY does not have a direct equivalent of -J/ProxyJump.

But there are two alternatives (while a bit more complicated to set up):


Apart from PuTTY, there’s also Microsoft build of OpenSSH for Windows. On Windows 10 version 1803 or newer, OpenSSH is built-in. On older versions of Windows 10, you can install it as an “Optional Feature” named “OpenSSH Client”. On you can just download a ZIP package. The client tools do not need any installation, you can just extract them.

What I’ve done in putty is set the host to the jump machine. Then in Connection -> SSH I set the remote command to ssh -Y <protected-user>@<protected-machine>. Not quite the same thing, but it instructs putty to immediately run the SSH command upon login and when I close that, the whole thing closes down because that command will have completed.

Tagged : / / /

Linux HowTo: passwordless ssh from linux to windows

Original Source Link

enter image description hereenter image description here

I am trying to login to Windows without password from a Linux server. I have already installed OpenSSH from GitHub and I’m able to do scp and ssh. I tried copying the authorized_keys to the Windows location. But it’s still not working.
The functionality should be no password prompt for running ssh or scp from linux environment to login/show windows directory.

I tried below commands:

cat .ssh/id_rsa.pub | ssh [email protected] 'cat >> .ssh/authorized_keys'

ssh [email protected] "chmod 700 .ssh; chmod 640 .ssh/authorized_keys"

But getting error not able to understand cat and chmod.

Updating the errors

'cat' is not recognized as an internal or external command,
operable program or batch file.

'chmod' is not recognized as an internal or external command,
operable program or batch file.

Do I need to install cygwin? If yes, please help with the implementation.

Any assistance is appreciated. Below is an image of the error.

image of the error

Steps to establish passwordless SSH between Linux ⬌ Windows:

Note:

  • Open a PowerShell console with Administrator privileges and execute all the commands mentioned below in that console only
  • Depending on install path, add C:WindowsSystem32OpenSSH or C:Program FilesOpenSSH to the System Path

Windows Server 2019:

  • Ensure the system is up to date via Windows Update
  • Ensure OpenSSH features are installed:
    • Apps & Features > Manage Optional Features
    • OpenSSH Server and OpenSSH Client should be listed, if they are not: Add a Feature

Windows Server 2012 and 2016:

  1. Download OpenSSH (OpenSSH-Win64.zip)
  2. Extract the contents to C:Program FilesOpenSSH and enter directory
  3. Follow steps 4 – 6 mentioned in the Install Wiki:

    # In an elevated Powershell console, run the following:
      powershell -ExecutionPolicy Bypass -File install-sshd.ps1
    
    # Open the firewall for sshd.exe to allow inbound SSH connections
      New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
    
    # Start sshd (this will automatically generate host keys under %programdata%ssh if they don't already exist)
      net start sshd ; net start ssh-agent
    

Common Steps for Windows Server 2012/2016/2019:

  1. Execute the following, which should show the status as Running for both services:

    Set-Service ssh-agent -StartupType Automatic
    
    Set-Service sshd -StartupType Automatic
    
    Get-Service -Name ssh-agent,sshd
    

    If not running: open Services and start OpenSSH Server and OpenSSH Authentication Agent

  2. For public-private key pair generation, issue ssh-keygen and follow the prompts
  3. Create C:ProgramDatasshadministrators_authorized_keys:
    New-Item -ItemType file "C:ProgramDatasshadministrators_authorized_keys"
    
  4. Append /root/.ssh/id_rsa.pub to C:ProgramDatasshadministrators_authorized_keys
    • If id_rsa.pub does not exist on Linux, generate via: ssh-keygen
  5. Append C:UsersAdministrator.sshid_rsa.pub to /root/.ssh/authorized_keys
    • If authorized_keys does not exist:
      touch "/root/.ssh/authorized_keys"
      
  6. For permission settings:

    icacls "C:ProgramDatasshadministrators_authorized_keys" /remove "NT AUTHORITYAuthenticated Users"
    
    icacls "C:ProgramDatasshadministrators_authorized_keys" /inheritance:r
    
    Restart-Service -Name sshd, ssh-agent -Force
    

Relevant locations on Windows host:

  • C:WindowsSytem32OpenSSH
  • C:Program FilesOpenSSH
  • C:UsersAdministrator.ssh
  • C:ProgramDatassh

References:

The errors say it all.

More or less, your ssh server provides… well, an ssh server. It dosen’t have the ‘unix’ style or linux coreutils you’re trying to run by default.

While swapping this ssh server for cygwin might help – what you literally need to do is understand what you’re doing and not presume linux commands will work.

You can probably get cat on windows – through various native packages of it like the ones bundled with git or GOW

The permissions model probably works differently so you need to do it with native tools.

It needs some reading but this suggests “only System, Administrators and owner can have access”- and this post suggests you can use ICACLS to set the appropriate permissions.

The takeaway is – well you got to understand your tools and realise that you’re not going to find the same environment everywhere.

Tagged : / /

Making Game: passwordless ssh from linux to windows

Original Source Link

enter image description hereenter image description here

I am trying to login to Windows without password from a Linux server. I have already installed OpenSSH from GitHub and I’m able to do scp and ssh. I tried copying the authorized_keys to the Windows location. But it’s still not working.
The functionality should be no password prompt for running ssh or scp from linux environment to login/show windows directory.

I tried below commands:

cat .ssh/id_rsa.pub | ssh [email protected] 'cat >> .ssh/authorized_keys'

ssh [email protected] "chmod 700 .ssh; chmod 640 .ssh/authorized_keys"

But getting error not able to understand cat and chmod.

Updating the errors

'cat' is not recognized as an internal or external command,
operable program or batch file.

'chmod' is not recognized as an internal or external command,
operable program or batch file.

Do I need to install cygwin? If yes, please help with the implementation.

Any assistance is appreciated. Below is an image of the error.

image of the error

Steps to establish passwordless SSH between Linux ⬌ Windows:

Note:

  • Open a PowerShell console with Administrator privileges and execute all the commands mentioned below in that console only
  • Depending on install path, add C:WindowsSystem32OpenSSH or C:Program FilesOpenSSH to the System Path

Windows Server 2019:

  • Ensure the system is up to date via Windows Update
  • Ensure OpenSSH features are installed:
    • Apps & Features > Manage Optional Features
    • OpenSSH Server and OpenSSH Client should be listed, if they are not: Add a Feature

Windows Server 2012 and 2016:

  1. Download OpenSSH (OpenSSH-Win64.zip)
  2. Extract the contents to C:Program FilesOpenSSH and enter directory
  3. Follow steps 4 – 6 mentioned in the Install Wiki:

    # In an elevated Powershell console, run the following:
      powershell -ExecutionPolicy Bypass -File install-sshd.ps1
    
    # Open the firewall for sshd.exe to allow inbound SSH connections
      New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
    
    # Start sshd (this will automatically generate host keys under %programdata%ssh if they don't already exist)
      net start sshd ; net start ssh-agent
    

Common Steps for Windows Server 2012/2016/2019:

  1. Execute the following, which should show the status as Running for both services:

    Set-Service ssh-agent -StartupType Automatic
    
    Set-Service sshd -StartupType Automatic
    
    Get-Service -Name ssh-agent,sshd
    

    If not running: open Services and start OpenSSH Server and OpenSSH Authentication Agent

  2. For public-private key pair generation, issue ssh-keygen and follow the prompts
  3. Create C:ProgramDatasshadministrators_authorized_keys:
    New-Item -ItemType file "C:ProgramDatasshadministrators_authorized_keys"
    
  4. Append /root/.ssh/id_rsa.pub to C:ProgramDatasshadministrators_authorized_keys
    • If id_rsa.pub does not exist on Linux, generate via: ssh-keygen
  5. Append C:UsersAdministrator.sshid_rsa.pub to /root/.ssh/authorized_keys
    • If authorized_keys does not exist:
      touch "/root/.ssh/authorized_keys"
      
  6. For permission settings:

    icacls "C:ProgramDatasshadministrators_authorized_keys" /remove "NT AUTHORITYAuthenticated Users"
    
    icacls "C:ProgramDatasshadministrators_authorized_keys" /inheritance:r
    
    Restart-Service -Name sshd, ssh-agent -Force
    

Relevant locations on Windows host:

  • C:WindowsSytem32OpenSSH
  • C:Program FilesOpenSSH
  • C:UsersAdministrator.ssh
  • C:ProgramDatassh

References:

The errors say it all.

More or less, your ssh server provides… well, an ssh server. It dosen’t have the ‘unix’ style or linux coreutils you’re trying to run by default.

While swapping this ssh server for cygwin might help – what you literally need to do is understand what you’re doing and not presume linux commands will work.

You can probably get cat on windows – through various native packages of it like the ones bundled with git or GOW

The permissions model probably works differently so you need to do it with native tools.

It needs some reading but this suggests “only System, Administrators and owner can have access”- and this post suggests you can use ICACLS to set the appropriate permissions.

The takeaway is – well you got to understand your tools and realise that you’re not going to find the same environment everywhere.

Tagged : / /

Server Bug Fix: SSHd not starting on CentOS 8.1

Original Source Link

I have centos 8.1.1911 (core)

I can’t get opensshd to run. I have dnf.

I removed it dnf remove openssh-server
then reinstalled dnf install openssh-server

systemctl start sshd

job for sshd.service failed for because hte control process exited with error code.

Going through the /var/log/messages log and I see a possible error
I did sshd -t and got the same error, error is:

Failed to seed from getrandom: Function not implemented

journalctl -xe and systemctl status sshd.service show no other failures

sshd.service main process exited code=exited status=255/n/a
Failed to start openssh server daemon

I did dnf remove openssh-server and tried again, still no luck

Removed /etc/ssh folder
rm -rf /etc/ssh
To wipe away any bad config and tried again. No luck

Care to advise? Does the centos 8.1.1911 just simply have no way to do this yet?

I saw a comment online to try this:
mkdir -p /var/run/sshd

For what I believe for PID file generation but having no luck still.

One possible reason could be when you upgraded the OS from CentOS 7 to CentOS 8 some of the code and commands that might have been defined in the sshd_config which are not compatible with CentOS 8. To know more check the access.log in /var/log PATH. Reinstalling sshd or openssh server doesn’t remove the complete instance. Due to that, it may not work in many situations. The best way is to check the logs and sshd_config file.

It’s a little too late but if the problem is the result of a dist upgrade it’s probably a kernel problem, you must upgrade your kernel version.
Check yours with

uname -a

if =< 3.x you should try an upgrade

Tagged : / /

Server Bug Fix: Connecting to remote mac machine via ssh tunnelling over VPN

Original Source Link

From my laptop, I am trying to open remote desktop in server2:

This is how it looks like:

my-mac-laptop -> vpn. ---> server1(redhat)  ->  server2(mac-server)
                           <----------same network---------------> 

Here, I can’t access server2 directly. I have to connect to server1 via VPN. And from server1 I can access server2(mac-server).

I have already enabled Remote Login and Remote Management in the server2(mac-server).

Followed to that, I am attempting to port forward the remote desktop ports with the following command:

ssh -L 5900:server2-ip-address:5900 [email protected]

My understanding has been this will tunnel all the remote desktop traffic to the server2(mac-server) in my mac laptop.

In the next step, I open screen-sharing app from my mac laptop and type localhost which should forward 5900 traffic to mac-server2 over the ssh-tunnel.

However, this is not working and it is stuck with “connecting” status. Any idea?

I would like to know how I can triage this case, any ideas welcome.

Are there logs in the mac-server2 that might assist me to debug?

Tagged : / /

Ubuntu HowTo: Why can’t Ubuntu access my Raspberry Pi across LAN?

Original Source Link

Okay, I recently got a Raspberry Pi, and I got it connected to my Wi-Fi – I enabled the SSH and installed Hiawatha, and I could access it just fine from my Desktop, which was running Puppy Linux at that time.

I could also access it just fine when booted into Windows (PuTTY on Win XP Pro,) and the Netbook could access it via PuTTY, as well. (Win 7 Starter)

However, when I booted into Ubuntu, all SSH, HTTP, and HTTPS connections were refused. To confirm that it was Ubuntu, and only Ubuntu, that was having the connection issues, I rebooted into Puppy Linux – connected fine, and into Windows – connected fine. The Netbook could connect to all 3 services without issues either. It was just Ubuntu that said connection refused.

I’d like to know what’s wrong – I’ve already done all the basic troubleshooting: rebooting the RPi, rebooting my computer, rebooting the wireless router, etc. The Raspberry Pi has no Firewall enabled, and my Router offers all devices connected to LAN unrestricted access to each other. I’ve done extensive testing, and Ubuntu has been proven beyond a shadow of a doubt to be the only one not willing to connect.

UPDATE: Just tested accessing via my external IP, and everything runs smoothly on Ubuntu! However, Ubuntu still can’t access the Pi from anything local, and I just re-confirmed that my other OS’s can. I think it’s weird that Ubuntu has trouble connecting locally (unlike my other OS’s,) but is just fine accessing the Pi via my external IP..

UPDATE 2: Disabling my firewall lets me access the device, but the password reports as incorrect every. single. time. I’ve tried typing it into Gedit, then dragging-and-dropping it into the password prompt during SSH login, and it authorizes when accessing [email protected], but NOT when accessing [email protected]. This is unbelievably frustrating.

So until you had ufw enabled with default settings on your Ubuntu machine the connection always reported Connection refused. After you disabled the ufw on you client the connection is established but the password is always rejected?

I would guess in that case your problem is that the 192.168.2.128 ip is routed back to your client Ubuntu machine, and actually you are connecting to the ssh server running on your Ubuntu machine. This would explain:

  • Why you are able to connect from the internet.

  • Why your connection was rejected when the firewall was on on your Ubuntu client.

  • Why the connection is no more rejected with the client firewall turned off.

  • Why now the connection is established, but the authentication fail.

To troubleshoot this case:

  • Check the server’s host key with ssh -v [email protected] both for a local and for an internet connection. Does it report the same key?

  • Or while you are connecting from local, and you are at the prompt to type your password, from another terminal: sudo netstat -tupan and see if a connection is established to the sshd on your Ubuntu.

Although this case would explain everything, but it is so weird that I have doubts that this is your problem.

It’s entirely possible that your ubuntu machine is getting a different network IP address than what is expected. Try the following:

  • On the raspi, check its IP address with ifconfig | grep 192.168
  • on the ubuntu machine, check its IP address with ifconfig | grep 192.168

In order to be able to talk to each other on your local network, they should both be using the same subnet – look at the third section of the IP address to see if they are. In your case, they should both be on the 192.168.2.* subnet.

Make sure they actually have different IP addresses too. This may seem obvious, but can happen if one of them is using DHCP and the other is set statically.

If that all checks out, then run the following command to see where your packets are supposed to be going:

route -n

Look in the output for the destination subnet that applies to your raspberry pi. There should really just be 3 rows:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     1      0        0 eth0

If you have more rows or things are going to weird spots, then that’s the answer.

My guess is that your ssh connection is ending up hitting a different SSH server from the one on your raspberry pi, which is why changing the ubuntu firewall affected it and your logins aren’t working.

According to what’s in your PasteBin, the “connection refused” indicates you’re getting a TCP reset from whatever is at that IP address.

Sanity check: While troubleshooting, DISABLE ufw.

With your desktop firewall disabled, can you ping the Pi from your desktop? Can you ping the desktop from your Pi?

After attempting the ping in both directions, look at the output of ‘arp -n’ on both machines. Do they see each other’s MAC (Ethernet hardware) addresses or is something redirecting/intercepting the traffic?

If you can ping in both directions and ‘arp -n’ indicates the proper MAC addresses are being used (check ‘ifconfig’ on the opposite machine), the next step is to examine /var/log/auth.log on the Pi. It should tell you what’s wrong with the connection attempt.

If the above doesn’t help, please show us the output from the following commands on the Pi:

sudo ifconfig -a
cat /etc/resolv.conf
arp -n
netstat -rn
sudo iptables-save
sudo grep ssh /var/log/auth.log | tail -50

And on your desktop:

sudo ifconfig -a
cat /etc/resolv.conf
arp -n
netstat -rn
sudo iptables-save

I see some of this pasted in the comments above, but the whole thing is important to grab with the firewall off, first. If you can make it work with the firewall off, then you can proceed to troubleshooting your firewall rules.

Also, even if you’re targeting an IP address, DNS settings still matter because SSH uses DNS during host key validation.

Delete ~/.ssh/known_hosts file and try again.
If previously there was a host with the same IP address ssh accessible, you may keep an invalid fingerprint

On Ubuntu 13.10 , I could not ssh to my pi , when I previously could on 13.04 and Mint 16.
When trying

ssh -vvv [email protected]

I got :

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

I ran across a suggestion that said to set MTU for the Machine(not the pi) to 1200 instead of automatic. I did this, turned off -> then on my wifi , and connected with ssh to PI on first try.
Hope this helps someone.

Tagged : / / /

Making Game: Ubuntu on Windows 10 – SSH “Permissions xxxx for private key are too open

Original Source Link

I have a key file located at C:private-key.pem and I have a soft link to it on the Ubuntu subsystem: ~/.ssh/private-key.pem -> /mnt/c/private-key.pem.

When I’m trying to ssh into some remote machine from the Ubuntu subsystem, I get:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0777 for '/home/artur/.ssh/private-key.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/home/artur/.ssh/private-key.pem": bad permissions
Permission denied (publickey).
  • This began after the 1803 update for Windows: I was trying to use chmod 400 for the key on C: and within ~/.ssh on WSL. I trying to set owner to me and remove all other users’ ACLs on Windows for this key file, but every time I get Permission denied or
    Permissions XXXX for '/home/artur/.ssh/private-key.pem' are too open.

Can anybody help me and explain how keys permissions should be configured on Windows and the Ubuntu subsystem?

Solution that works for me in windows WSL (without changing file mode):

sudo ssh -i keyfile <user>@ip

I’m reading between the lines, and assuming you’re using a Linux subsystem in Windows 10. When you symlinked the Windows file from C: into the Linux file system in $HOME/.ssh, the permissions of the actual file are still under control of Windows, and the permissions shown to you in the Linux window just best represent the Windows permissions; you can’t change the permissions on the Windows files in /mnt/c from Linux. This FAQ from Microsoft talks about how files are handled in the two overlapping file systems.

The file you need to change the permission on is the file the symlink is pointing so, so that means the file in /mnt/c

It doesn’t seem possible to give user-only access to a Windows file. Even if you disable permission inheritance on a file and give only your own user read permission, the Linux permissions still show as -r--r--r--, so that won’t be usable for ~/.ssh

The only option appears to be copying the file from Windows into Linux, at which point you can use chmod and chown on it.

Copy the SSH key over to your WSL ~/.ssh directory, as an SSH key with anything other than 600/400 permissions compromises the key.

  • Once the key is copied over, ensure it’s EOLs have been changed to LF.

    • There’s a number of ways to do so, from the Atom text editor to CLI solutions like dos2unix, unix2dos, etc.
  • See @simpleuser’s answer below to understand why permissions cannot be changed via Windows, of which necessitates copying the key to the WSL’s ~/.ssh directory

I am using Linux Windows Shell on Windows 10 Pro and also installed cygwin

Matching WSL UID to cygwin UID solved the problem.
Find the cygwin UID in the cygwin terminal via id

Two steps to match the UID:

  1. Open cmd.exe with administrator privileges and edit, with the new UID, via regedit.
    HKCUSoftwareMicrosoftWindowsCurrentVersionLxss{cefb...cb50}DefaultUid
    
  2. Change the UID in WSL by using, in the WSL terminal:

    sudo vi /etc/passwd
    chmod 600 ~/.ssh/private-key.pem
    

Reference:

To expand on the answer above as it works perfectly for me.

I am using Linux Windows Shell on Windows 10 Pro.

The 1803 update broke SSH in the shell as there is no equivalent to chmod 600 within windows.

but you can leave your pem unchanged with file permission 777 and run

sudo ssh -i  my777Keyfile.pem  [email protected] 

and now you will log straight in. (Not sure why though).

Here’s a really simple WSL solution, normally not requiring sudo, using Bash on Ubuntu within WSL.

Suppose your key is called mykey.pem:

cat 'mykey.pem' > 'wslkey.pem'
chmod 400 wslkey.pem
ssh -i 'wslkey.pem' [email protected][PUBLIC-IP-OF-YOUR-INSTANCE]

On Windows just delete all others permissions :

  1. chmod 400 keyname.pem
  2. Click right on keyname.pem -> setting -> security -> delete all users/groups except you.
Tagged : / /

Linux HowTo: Ubuntu on Windows 10 – SSH “Permissions xxxx for private key are too open

Original Source Link

I have a key file located at C:private-key.pem and I have a soft link to it on the Ubuntu subsystem: ~/.ssh/private-key.pem -> /mnt/c/private-key.pem.

When I’m trying to ssh into some remote machine from the Ubuntu subsystem, I get:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0777 for '/home/artur/.ssh/private-key.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/home/artur/.ssh/private-key.pem": bad permissions
Permission denied (publickey).
  • This began after the 1803 update for Windows: I was trying to use chmod 400 for the key on C: and within ~/.ssh on WSL. I trying to set owner to me and remove all other users’ ACLs on Windows for this key file, but every time I get Permission denied or
    Permissions XXXX for '/home/artur/.ssh/private-key.pem' are too open.

Can anybody help me and explain how keys permissions should be configured on Windows and the Ubuntu subsystem?

Solution that works for me in windows WSL (without changing file mode):

sudo ssh -i keyfile <user>@ip

I’m reading between the lines, and assuming you’re using a Linux subsystem in Windows 10. When you symlinked the Windows file from C: into the Linux file system in $HOME/.ssh, the permissions of the actual file are still under control of Windows, and the permissions shown to you in the Linux window just best represent the Windows permissions; you can’t change the permissions on the Windows files in /mnt/c from Linux. This FAQ from Microsoft talks about how files are handled in the two overlapping file systems.

The file you need to change the permission on is the file the symlink is pointing so, so that means the file in /mnt/c

It doesn’t seem possible to give user-only access to a Windows file. Even if you disable permission inheritance on a file and give only your own user read permission, the Linux permissions still show as -r--r--r--, so that won’t be usable for ~/.ssh

The only option appears to be copying the file from Windows into Linux, at which point you can use chmod and chown on it.

Copy the SSH key over to your WSL ~/.ssh directory, as an SSH key with anything other than 600/400 permissions compromises the key.

  • Once the key is copied over, ensure it’s EOLs have been changed to LF.

    • There’s a number of ways to do so, from the Atom text editor to CLI solutions like dos2unix, unix2dos, etc.
  • See @simpleuser’s answer below to understand why permissions cannot be changed via Windows, of which necessitates copying the key to the WSL’s ~/.ssh directory

I am using Linux Windows Shell on Windows 10 Pro and also installed cygwin

Matching WSL UID to cygwin UID solved the problem.
Find the cygwin UID in the cygwin terminal via id

Two steps to match the UID:

  1. Open cmd.exe with administrator privileges and edit, with the new UID, via regedit.
    HKCUSoftwareMicrosoftWindowsCurrentVersionLxss{cefb...cb50}DefaultUid
    
  2. Change the UID in WSL by using, in the WSL terminal:

    sudo vi /etc/passwd
    chmod 600 ~/.ssh/private-key.pem
    

Reference:

To expand on the answer above as it works perfectly for me.

I am using Linux Windows Shell on Windows 10 Pro.

The 1803 update broke SSH in the shell as there is no equivalent to chmod 600 within windows.

but you can leave your pem unchanged with file permission 777 and run

sudo ssh -i  my777Keyfile.pem  [email protected] 

and now you will log straight in. (Not sure why though).

Here’s a really simple WSL solution, normally not requiring sudo, using Bash on Ubuntu within WSL.

Suppose your key is called mykey.pem:

cat 'mykey.pem' > 'wslkey.pem'
chmod 400 wslkey.pem
ssh -i 'wslkey.pem' [email protected][PUBLIC-IP-OF-YOUR-INSTANCE]

On Windows just delete all others permissions :

  1. chmod 400 keyname.pem
  2. Click right on keyname.pem -> setting -> security -> delete all users/groups except you.
Tagged : / /