Windows Broadcaster Will Not Connect to ZEN Master (SSH Tunnel / Key Permissions)

what this covers a zixi broadcaster installed on windows shows as pending or offline in zen master even though the broadcaster itself is running and its web ui (port 4444) is reachable the cause is that the reverse ssh tunnel the broadcaster opens back to zen master fails to start, almost always because of file ownership or permissions on the ssh private key or the ssh directory used by the windows service account this is specific to windows linux hosts are not affected in the same way symptoms in zen master, the broadcaster never leaves pending , or it flips to offline shortly after you complete step 5 connect the broadcaster the broadcaster service is running and the local ui at http //localhost 4444 works the broadcaster log / windows event log shows an ssh error referencing the ssh path under the service profile, for example c \windows\system32\config\systemprofile\\ ssh\\ bad permissions permissions for ' id rsa' are too open it is required that your private key files are not accessible by others load key " " bad permissions the error appears immediately at tunnel start, not after a period of streaming root cause the broadcaster runs as a windows service under the localsystem account to reach zen master it launches the bundled openssh client ( ssh exe ) and opens a reverse tunnel, supplying the private key downloaded from zen master because the service uses the localsystem profile, ssh looks for its key material under c \windows\system32\config\systemprofile\\ ssh modern openssh on windows 10/11 and windows server strictly enforces ownership and acls on the private key file and the ssh directory if the key file is owned by the wrong account, is readable/writable by groups such as users or everyone , or the ssh directory does not exist or is not writable by the service account, openssh refuses to use the key and aborts the tunnel never comes up, so zen master never sees the broadcaster as connected note the 64 bit broadcaster installer ships its openssh client as ssh exe (the 64 bit build); the feeder / 32 bit package ships a 32 bit ssh exe this matters only for workaround 5 below step by step resolution work through these in order steps 1–2 resolve the large majority of cases 1\ pre create and permission the ssh directory confirm the directory exists and is writable by the account the broadcaster service runs as (localsystem by default) c \windows\system32\config\systemprofile\\ ssh if it is missing, create it grant the broadcaster service account (localsystem, or the dedicated service account if you changed it) full control of this directory, and remove broad inherited permissions for users / everyone 2\ fix the private key file ownership and acls the private key must be owned by the service account and not readable or writable by any group or other user in an elevated powershell, for the key file in that ssh directory icacls "c \windows\system32\config\systemprofile\\ ssh\\\<keyfile>" /inheritance\ r icacls "c \windows\system32\config\systemprofile\\ ssh\\\<keyfile>" /grant\ r "system\ f" icacls "c \windows\system32\config\systemprofile\\ ssh\\\<keyfile>" /remove "users" "authenticated users" "everyone" (if the service runs under a named account rather than localsystem, grant that account in place of system ) restart the broadcaster service and recheck status in zen master 3\ run the install / service with administrator privileges if the directory and key cannot be created or re permissioned, the installer or service may not have had sufficient rights reinstall or start the broadcaster service as administrator so it can create and lock down the ssh directory correctly 4\ verify the remote source port matches zen master a wrong tunnel port produces the same "offline in zen" symptom even when the key is fine in the broadcaster ui under settings → ssh connections , confirm the remote source port (and local destination ip/port) exactly match the values shown in the broadcaster's config instructions in zen master see ssh connections https //docs zixi com/zixi broadcaster zec current version/ssh connections and step 5 connect the broadcaster https //docs zixi com/quick start/step 5 connect the broadcaster broadcaster ui 5\ (last resort) swap in the 32 bit ssh exe in rare environments where the bundled 64 bit ssh exe still fails the key check, replacing it with the 32 bit ssh exe from the zixi feeder package (placed in the broadcaster install directory in place of ssh exe ) has resolved the tunnel for some sites treat this as a workaround of last resort and note the change for support 6\ re download a fresh ssh key if the key may be corrupt or mismatched, generate/download a fresh key from zen master (see step 3 create an ssh key https //docs zixi com/quick start/step 3 create an ssh key ), re apply it in the broadcaster's ssh connection, and re apply the ownership/acl fix from step 2 decision tree broadcaster stuck pending/offline in zen but local ui (4444) works? → continue log references ssh path / "bad permissions" / "too open"? → yes → key/directory permissions issue → steps 1–3 no permissions error, but still offline? → check remote source port vs zen config → step 4 permissions correct and port correct, still failing? → try 32 bit ssh exe ( step 5 ) and/or a fresh key ( step 6 ) still failing after all of the above? → collect logs and escalate escalation checklist open a zixi support ticket and include item details / location broadcaster version and windows os/build broadcaster ui header; windows version (10/11 / server 2016/2019), 32 or 64 bit broadcaster log / windows event log excerpt the ssh error showing the ssh path and the "bad permissions" / "too open" text service account the broadcaster runs as localsystem or a named service account current acls on the key file and ssh directory output of icacls for both remote source port configured vs zen master config value broadcaster settings → ssh connections, and zen master broadcaster → config whether 32 bit ssh exe swap was attempted yes/no