79

I'm trying to change the permissions to my key file key.pem in Cygwin 1.7.11. It has the permissions flags: -rw-rw----

chmod -c 600 key.pem

Reports:

mode of 'key.pem' changed from 0660 (rw-rw----) to 0600 (rw-------)

However:

ls -l key.pem

still reports

key.pem's permission flags are still: -rw-rw----

This reason why I'm asking is that ssh is complaining:

Permissions 0660 for 'key.pem' are too open.

when I try to ssh into my Amazon EC2 instance. Is this an issue with Cygwin & Windows 8 NTFS or am I missing something?

Castaa
  • 980
  • 3
  • 9
  • 11
  • This sounds like a Win8/Cygwin bug. I'd recommend reporting it on the [Cygwin mailing list](http://cygwin.com/lists.html). – me_and Mar 06 '12 at 10:30
  • It might be related to NTFS... Windows doesn't really use that Linux scheme. Maybe you can try going into the windows permission settings and only give yourself rights... – sinni800 Mar 07 '12 at 11:11
  • I think this is related to http://superuser.com/questions/363141/using-git-through-cygwin-on-windows-8 – Daniel Stiner Mar 27 '12 at 02:09

7 Answers7

99

I'm using Cygwin in the Win8CP, and I had the same issue. It's definitely a Cygwin bug, but there's a workaround: try running:

 chgrp -R Users ~/.ssh

The longer explanation is that, for some reason, Cygwin's /etc/passwd and /etc/group generation are putting the user's default/main group as None. And you cannot change the permission of None, so the chmod for group has no effect.

I didn't try repairing the passwd/group files myself, but I did do a chgrp -R Users ~/.ssh (or, if you are on the Windows 8 pre-release, with the group nameHomeUsers). After that, you can do the chmod 0600 and it'll work as expected.

The chgrp to the Users group can be done in whichever other similar cases you find. It even works as expected since Cygwin puts users in the Users group as a secondary group (instead of primary, which would be the correct behavior).

StackzOfZtuff
  • 1,493
  • 1
  • 15
  • 23
Jessidhia
  • 2,900
  • 19
  • 10
  • 12
    I needed chgrp -Rv Users ~/.ssh/* chmod -vR 600 ~/.ssh/* – Tomáš Fejfar Jan 27 '13 at 12:41
  • @TomášFejfar comment above worked for me. Thanks. – scaraveos Apr 11 '13 at 07:49
  • @TomášFejfar that was very helpful, maybe it should find its way into install scripts or something – dashesy Jun 01 '13 at 18:11
  • Yes, that would be lovely, but I usually can contribute only to github-based projects. Elsewhere it's too much hustle ;) – Tomáš Fejfar Jun 02 '13 at 10:31
  • 4
    Note if you have Windows installed in another language `Users` is not going to work. Use `cat /etc/group` to check with what you should replace `Users`. In Dutch for example you would have to replace `Users` with `Gebruikers`. – thijsai Jan 09 '14 at 16:58
  • Note that this also works for Mobaxterm. The group in Mobaxterm is called UsersGrp. Changing the group to Users allowed me to change file permissions and ssh worked. – Snap Shot Aug 26 '14 at 16:06
  • This also works for those who use MobaXterm – Will Nov 29 '14 at 14:15
  • 3
    It doesn't work anymore. The new solution is @luke-lee 's one. – fjardon Feb 24 '15 at 06:55
  • @SnapShot MobaXterm has nothing to do with it, it's just a terminal emulator. It's like saying that you have registered yourself to the Facebook in Internet Explorer and than you found out, that you're registered to Facebook also in Chrome, Firefox and Opera. As a browser has nothing else to do with a website than displaying it, terminal emulator has nothing else to do with a shell than displaying it (and also sending user's input back to it). – David Ferenczy Rogožan Sep 20 '15 at 03:49
29

Starting from Cygwin 1.7.34 (2015-02-04) the method that changes the group to Users no longer works. Instead you need to use Cygwin's setfacl utility.

  • Say, if you want to set file mode to 644 (rw-r--r--) do this:

    setfacl -s u::rw-,g::r--,o:r-- foo.bar

  • or use a longer format:

    setfacl -s user::rw-,group::r--,other::r-- foo.bar

  • or copy its mode using getfacl from file foo to bar:

    getfacl foo | setfacl -f - bar

A complete manual is in the "setfacl" section of the Cygwin user guide. I wonder why Cygwin has not yet changed chmod utility likewise.

Luke Lee
  • 447
  • 4
  • 7
  • 1
    solutions with group change to Users didn't work for me but only setfacl based one! – dim Mar 02 '15 at 14:53
  • 2
    Luke, I think you missed a colon in your first code-block after the 'o'. – Seldom 'Where's Monica' Needy Sep 15 '17 at 17:45
  • @SeldomNeedy Argh! You are right, corrected accordingly. Thanks! – Luke Lee Sep 18 '17 at 01:02
  • 1
    @SeldomNeedy After some more checks I found both syntax works, but the original one (with one colon) is more accurate. The 2nd colon for 'u' and 'g' is for specifying UID and GID. For 'o' there is no such specifier so only one colon is needed. – Luke Lee Sep 18 '17 at 01:15
11

Here is a script that uses Luke Lee's suggestion but supports octal args like chmod. It provides a framework that can be extended. although it currently only supports octal args needed to fix permission on key.pem and/or ~/.ssh directory and files.

#!/bin/bash

# convert chmod octal permission args to equivalent setfacl args
ARGS=() ; FILES=()
while [ $# -gt 0 ]; do
  A=$1 ; shift
  case "$A" in
  600|0600) ARGS+=("u::rw-,g::---,o::---") ;;
  640|0640) ARGS+=("u::rw-,g::r--,o::---") ;;
  644|0644) ARGS+=("u::rw-,g::r--,o::r--") ;;
  700|0700) ARGS+=("u::rwx,g::---,o::---") ;;
  *) if [ -e "$A" ]; then FILES+=( "$A" ) ; else
    echo "unrecognized arg [$A]" 1>&2
    exit 1
  fi
  ;;
  esac
done
for F in "${FILES[@]}" ; do
  setfacl -s "${ARGS[@]}" "$F"
done

I used it like this to fix my .ssh directory and files:

chmodfacl 700 ~/.ssh
chmodfacl 600 ~/.ssh/*
chmodfacl 640 ~/.ssh/*.pub
philwalk
  • 414
  • 4
  • 7
  • Just got hit by this one in a cygwin update. Thanks for the script. `setfacl` on its own is horrible. – Andy Brown Feb 14 '15 at 16:32
  • Where do I put the script? – Sisir Aug 14 '16 at 10:31
  • the script can go anywhere in your cygwin path. You might create a $HOME/bin directory and put it there, although you'll then need to add it to your path, e.g., in $HOME/.bashrc. – philwalk Feb 04 '18 at 00:13
4
chgrp -R Users ~/.ssh

chmod 0600 ~/.ssh/config

chmod 0700 ~/.ssh
xtrimsky
  • 493
  • 1
  • 4
  • 10
1

If you have git bash installed run the same command (chmod -c 600 key.pem) with git bash and avoid Cygwin.

TheodorosPloumis
  • 111
  • 3
1

This issue can be resolved by running the ssh-keygen command from the cygwin terminal.(Not the normal windows Command prompt). I have done this in my windows8 machine.

Ravindra Jain
  • 21
  • 1
  • 4
    Can you please elaborate further? How can this fix the problem? What steps should the user take other than "run ssh-keygen from Cygwin"? – DanteTheEgregore Aug 08 '14 at 15:17
  • This just generates a key, but the OP has a key with bad permissions – Jonathan Feb 05 '16 at 16:55
  • Same experience here: chmod / ssh-keygen puts good permission under cygwin, but doesn't do it if I execute them from the windows cmd. (I don't know why though :-) ) – autra Mar 22 '18 at 08:36
-2

Run the Cygwin installer and update. The bug should be fixed.

Duncan Calvert
  • 101
  • 1
  • 3
    Your post needs to be expanded. A good [answer](http://superuser.com/help/how-to-answer) includes specific instructions (not just links to them) and an explanation as to how or why the answer addresses the OPs question. Please edit your post to adequately address both of these elements. – I say Reinstate Monica Jun 15 '15 at 18:12