Fun with Git for Windows, SSH Keys and Passphrases

Disclaimer: this post is one to file under “things I’m blogging in the hope that I find the answer more quickly next time”.

Background

I switched to using SSH key auth for GitHub and Azure DevOps Repos a long time ago and never looked back. For a while I was using SSH keys without passphrases but got round to adding passphrases a while back. I set up the Windows OpenSSH Authentication Agent - the service defaults to Disabled so I set it as Automatic start and nudged it to Running. (For more information, see the docs on installing Windows OpenSSH)

Windows Services showing OpenSSH Authentication Agent Running

With the Agent running I could run ssh-add to add my keys (prompting me for my pass phrase). Since I have these keys added to GitHub, I could test my ssh connection to GitHub using ssh -T git@github.com. This all worked so I was happy.

I have been using WSL quite a bit recently and configured to forward SSH requests to the Windows SSH Agent (that’s a topic for another post), and the same ssh -T git@github.com works in WSL, too.

Since configuring this, I’ve been happily working with git in the terminal with WSL for a while. Today I wanted to work with some code that I had cloned in Windows, so ran a git remote update to check that I was up-to-date, but that prompted me for my passphrase. At this point I was confused: this is all working fine in WSL without prompting me, and WSL is configured to forward the SSH auth to the OpenSSH Agent in Windows!

The explanation

After staring at the screen and retrying the command to make sure, I re-ran the ssh -T git@github.com command in Windows and that ran fine (without prompting me).

Cue lightbulb moment (actually there was some muttering to myself while pacing the office that preceeded this): git ships with its own ssh! (at least git for Windows does). There’s a hint towards that in these GitHub docs where they say to start Git Bash to run ssh-add.

Running Get-Command ssh.exe in PowerShell pointed me to the OpenSSH installation at C:\WINDOWS\System32\OpenSSH\ssh.exe. So when I was running ssh -T git@github.com that was using the OpenSSH ssh.exe and connecting to the Open SSH Authentication Agent where I had added the keys.

When git was running SSH, it was running its own ssh and was blissfully unaware of the agent I had added the keys to.

The fix

To fix this I ran $env:GIT_SSH="C:\Windows\System32\OpenSSH\ssh.exe" to set the GIT_SSH environment variable described here. Note that I ran this as a way to test that this worked, but it only sets the environment variable for that instance of PowerShell. The real fix is to set this environment variable at the machine level to avoid hitting the issue again.

Re-running git remote update worked, without prompting me (now that it was using the SSH agent where I had configured the keys)!