Tag: linux

AWS EC2 – Windows SSH – Permissions for public / SSH key are too open

admin

We all may have encountered issues of bad permission for the public key while accessing the Linux/Ubuntu/Unix box through windows 10 systems.

This issue you may face while using a new set of public keys.

Error

E:\AWS\key>ssh -i ./my-key.pem ubuntu@10.0.0.1
The authenticity of host '10.0.0.1 (10.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:HxAA3hSzLSd/TRcZtXUYrjfZ0C9jL7fXmAZigM5p3+I.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.0.1' (ECDSA) to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for './my-key.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "./my-key.pem": bad permissions
ubuntu@10.0.0.1: Permission denied (publickey).

The fix is pretty simple, we should just set the right permissions of the pem (public key) file. The only mistake we do while fixing the above issue is not granting permission to the correct user.

We need to first ensure we have the correct user details which we have used for our windows system login.

To verify the user details run the below command in your command prompt,

E:\AWS\key>whoami
desktop-4455tbos\myuser

Copy the user details, we will require these details in our later steps.

Steps to set the pem (public key) file permission

Browse and navigate to your public key directory.

Right-click on the key file name and click on properties.

Select the Security Tab and click on Advance.

On Advanced Security Setting Panel, click on “Disable inheritance

On the Block Inheritance Tab, Select “Remove all inherited permissions from the object

All Existing permission will be removed, ensure the permission Text Area has zero entries as shown below,

Now Click on the “Add” button, and you should get the pop-up to add permissions and user. Click on “Select Principal

On the “Select User or Group” panel, Enter the username we got earlier and click on “check names“.

You should be able to see your selected username. Once validated click on OK.

On Basic permission, select and check “Full control” and apply the changes.

You should be able to view your username with all permissions on the key property tab.

Now, let us connect to ssh,

ssh -i ./my-key.pem ubuntu@<your instance IP>
E:\keys>ssh -i ./my-key.pem ubuntu@10.0.0.1
Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-1020-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

We should be able to connect to our instance.

Linux/Unix – sshd_config

admin

The entries in sshd_config can be updated, the file is genrally located at /etc/ssh/sshd_config.

Example

Match User john,mike
AuthenticationMethods publickey,privatekey

Note: The users should be separated with comma and should not have spaces in between.

The Match keyword will match user to restrict the arguments for the defined user.

In our case the AuthenticationMethod is applicable only for john and mike

Linux – Add User

admin

To Add User in Linux,

useradd -g johngroup-s /bin/bash -m -d /home/john -u 199999 john

The above command will create user John which has a specific uid 199999, under group johngroup along with a home folder in /home/john and will also add an entry in ssh /bin/bash for the respective user.

Command Arguments

  • -g To create user in specific group
  • -s To create user entry in ssh
  • -u user with specific uid
  • -m and -d to create with home directory