git - your - warning unprotected private key file windows 10

SSH Private Key Permissions using Git GUI or ssh-keygen are too open (16)

Recently I've been unable to clone or push to github, and I'm trying to find the root cause.

This is on windows

I have cygwin + git as well as msysgit.

Msysgit was installed with the following options:

  • OpenSSH
  • Use Git from Windows Command Prompt

That gives me 4 environments to try to use git in:

  • Windows cmd prompt
  • Powershell
  • Git Bash
  • Cygwin

Somehow I've managed to get myself into a position where when I try to clone a repository using msysgit, cmd.exe, or Powershell, I get the following error:

> Initialized empty Git repository in
> C:/sandbox/SomeProject/.git/
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> Permissions 0644 for
> '/c/Users/Ben/.ssh/id_rsa' are too
> open. It is recommended that your
> private key files are NOT accessible
> by others. This private key will be
> ignored. bad permissions: ignore key:
> /c/Users/Ben/.ssh/id_rsa Permission
> denied (publickey). fatal: The remote
> end hung up unexpectedly

This is using the .ssh folder in my c:\users\ben\ folder, which is what is used by msysgit. I suspect cygwin works because the .ssh folder is located elsewhere, but I'm not sure why

In Git Bash, I check the permissions:

$ ls -l -a ~/.ssh

Which gives me:

drwxr-xr-x    2 Ben      Administ        0 Oct 12 13:09 .    
drwxr-xr-x   34 Ben      Administ     8192 Oct 12 13:15 ..    
-rw-r--r--    1 Ben      Administ     1743 Oct 12 12:36 id_rsa
-rw-r--r--    1 Ben      Administ      399 Oct 12 12:36    
-rw-r--r--    1 Ben      Administ      407 Oct 12 13:09 known_hosts

These permissions are apparently too relaxed. How they got this way, I have no idea.

I can try to change them...

$ chmod -v -R 600 ~/.ssh

which tells me:

mode of `.ssh' changed to 0600 (rw-------)
mode of `.ssh/id_rsa' changed to 0600 (rw-------)
mode of `.ssh/' changed to 0600 (rw-------)
mode of `.ssh/known_hosts' changed to 0600 (rw-------)

But it seems to have no effect. I still get the same error, and doing

$ ls -l -a ~/.ssh

yields the same permissions as before.


I tried to fix the permissions to those files in cygwin, and cygwin reports their permissions correctly, gitbash does not: alt text

Any ideas on how I can really fix these permissions?

@koby's answer doesn't work for me, so I make a little change.

cd ~/.ssh
chmod 700

This works well for me on Mac.

After comming across the problem recently and this being one of the top google results i thought i would chip in with a simple work around documented in discussion here:

Simply involves overwriting the mysys ssh.exe with your cygwin ssh.exe

Changing file permissions from Properties, disabling inheritance and running chmod 400 didn't work for me. The permissions for my private key file were:

-r--r----- 1 alex None 1766 Mar 8 13:04 /home/alex/.ssh/id_rsa

Then I noticed the group was None, so I just ran

chown alex:Administrators ~/.ssh/id_rsa

Then I could successfully change the permissions with chmod 400, and run a git push.

Did you copy the key file from another machine?

I just created an id_rsa file on the client machine then pasted the key in I wanted. No permissions issues. Nothing to set. It just worked. It also works if you use PuTTYgen to create the private key.

Possibly some hidden group issue if you're copying it from another machine.

Tested on two Windows 8.1 machines. Using Sublime Text 3 to copy and paste the private key. Using Git Bash (Git-1.9.4-preview20140611).

For *nix systems, the obvious fix is chmod 600 id_rsa ofc, but on windows 7 I had to hit my head against the wall for a while, but then I found the magic solution:

go to My Computer / Right Click / Properties / Advanced System Settings / Environment Variables and DELETE the variable (possibly from both system and user environment):


Basically, its a flaw in mingw32 used by git windows binary, seeing all files 644 and all folders 755 always. Removing the environment variable does not change that behaviour, but it appearantly tells ssh.exe to ignore the problem. If you do set proper permissions to your id_rsa through explorers security settings (there really is no need to have any other user in there than your own, not "everyone", not "administrators", not "system". none. just you), you'll still be secure.

Now, why mingw32, a different system than cygwin, would make any use of the CYGWIN environment variable, is beyond me. Looks like a bug to me.

For Windows 7 using the Git found here (it uses MinGW, not Cygwin):

  1. In the windows explorer, right-click your id_rsa file and select Properties
  2. Select the Security tab and click Edit...
  3. Check the Deny box next to Full Control for all groups EXCEPT Administrators
  4. Retry your Git command

I had the same problem on Windows XP just recently. I tried to chmod 700 on my ~/.ssh/id_rsa file but it did not seem to work. When I had a look at the permissions using ls -l on the ~/.ssh/id_rsa I could see that my effective permissions still was 644.

Then I remembered that windows permissions also inherit permissions from the folders, and the folder was still open to everyone. A solution could be to set permissions for the folder as well, but I think a better way would be to tell the system to ignore inheritance for this file. This can be done using the advanced option on the security tab in the properties of the file, and unchecking "inherit from parent permissions..."

This might be helpful for others with the same problem.

I never managed to get git to work completely in Powershell. But in the git bash shell I did not have any permission related issues, and I did not need to set chmod etc... After adding the ssh to Github I was up and running.

I was able to fix this by doing two things, though you may not have to do step 1.

  1. copy from cygwin ssh.exe and all cyg*.dll into Git's bin directory (this may not be necessary but it is a step I took but this alone did not fix things)

  2. follow the steps from:

    I added some details to my ~/.ssh/config file:

Port 22
IdentitiesOnly yes
IdentityFile ~/.ssh/id_heroku
TCPKeepAlive yes
User brandon

I had to use User as my email address for Note: this means you need to create a key, I followed this to create the key and when it prompts for the name of the key, be sure to specify id_heroku

  1. then add the key:
    heroku keys:add ~/.ssh/

I'm on XP and this allowed Git Bash to communicate w/ Github (after much frustration):

  1. copy c:\cygwin\bin\cyg* (~50 files) to c:\Program Files\Git\bin\
  2. copy c:\cygwin\bin\ssh.exe to c:\Program Files\Git\bin\ (overwriting)
  3. Create the file c:\Documents and Settings\<username>\.ssh\config containing:

        User git
        PreferredAuthentications publickey
        IdentityFile "/cygdrive/c/Documents and Settings/<username>/.ssh/id_rsa"
  4. (optional) Use ssh -v [email protected] to see the connection debugged.

  5. Try a push!

Background: The general problem is a combination of these two:

  • BUG: mingw32 sees all files as 644 (other/group-readable), and nothing I tried in mingw32, cygwin, or Windows could fix it.
  • mingw32's SSH version won't allow that for private keys (generally a good policy in a server).

Not a direct answer to the primary question, but on your question of how cygwin's folder works... As a general rule, cygwin puts all of "your" files under the equiv of c:\cygwin\home\username. It treats that folder for any user-specific settings rather than the Windows user directory.

OK so here is how I actually forced the change on my Windows files regarding the permissions themselves on Win7: Find your ssh key in windows explorer: C:\Users[your_user_name_here].ssh\id_rsa

Right-click on file>Properties>Security tab>Advanced button>Change permissions

Now remove everyone that is not actually your username. This includes Administrator and System users. At this point you may get a dialogue about inheriting permissions- choose the option that DOESN'T inherit- since we only want to change this file.

Click OK and save till done.

I fought with this for days because my windows would not change the file permissions from the command line. This way it is also ACTUALLY done- instead of using exciting work arounds that make can have odd consequences.

This is a particularly involved problem on Windows, where it's not enough to just chmod the files correctly. You have to set up your environment.

On Windows, this worked for me:

  1. Install cygwin.

  2. Replace the msysgit ssh.exe with cygwin's ssh.exe.

  3. Using cygwin bash, chmod 600 the private key file, which was "id_rsa" for me.

  4. If it still doesn't work, go to Control Panel -> System Properties -> Advanced -> Environment Variables and add the following environment variable. Then repeat step 3.

    Variable      Value
    CYGWIN      sbmntsec

Type on terminal:

chmod -Rf 700 ~/.ssh/

And try again.

What did the trick for me was to update CYGWIN environment variable with: "tty nodosfilewarning". Didn't even need to chmod the key.

You changed the permissions on the whole directory, which I agree with Splash is a bad idea. If you can remember what the original permissions for the directory are, I would try to set them back to that and then do the following

cd ~/.ssh
chmod 700 id_rsa

inside the .ssh folder. That will set the id_rsa file to rwx (read, write, execute) for the owner (you) only, and zero access for everyone else.

If you can't remember what the original settings are, add a new user and create a set of SSH keys for that user, thus creating a new .ssh folder which will have default permissions. You can use that new .ssh folder as the reference for permissions to reset your .ssh folder and files to.

If that doesn't work, I would try doing an uninstall of msysgit, deleting ALL .ssh folders on the computer (just for safe measure), then reinstalling msysgit with your desired settings and try starting over completely (though I think you told me you tried this already).

Edited: Also just found this link via Google -- Fixing "WARNING: UNPROTECTED PRIVATE KEY FILE!" on Linux While it's targeted at linux, it might help since we're talking liunx permissions and such.