Why do i need to restrict permissions on a PEM key?

Question

I have a .pem key file that i use to ssh to my ec2 server. I've moved this key file to an encrypted external SSD disk. This has caused the owner of the pem key to be set to 'everyone'.

When i try to use this key in cmd.exe i get the warning

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'XXXXXXX-kp.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "XXXXXX-kp.pem": bad permissions
XXXXXX.compute-1.amazonaws.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

I also use this key to connect to my amazon RDS instance via an EC2 SSH connection. This somehow works without any problem. I've also copied this pem file to the shared folder on my smartphone as a backup. I also have termux installed on the smartphone and with termux i can also ssh to my ec2 instance using the pem file without any problems.

So how bad is it exactly when you don't assign an owner to your pem file? Does it somehow make the ssh connection less secure? If so, how?

Answer 1

Technically, the connection is not less secure.

Practically, the system is less secure. This message seems to be related to having the wrong permissions on your ssh key files. If any user of the system (including limited users) can overwrite or read the key files, then they can compromise that account. The system will not trust it because it can’t be sure it wasn’t tampered with.

I’m unfamiliar with SSH on windows. But, on Linux, usually this means that permissions for files in /.ssh/ should be read/writable by the owner only. i.e. 600.

See here, which contain Linux and Windows solutions: https://stackoverflow.com/questions/25869207/getting-warning-unprotected-private-key-file-error-message-while-attempting