Skip to content

Instantly share code, notes, and snippets.

@danieldogeanu
Last active October 31, 2024 20:59
Show Gist options
  • Save danieldogeanu/16c61e9b80345c5837b9e5045a701c99 to your computer and use it in GitHub Desktop.
Save danieldogeanu/16c61e9b80345c5837b9e5045a701c99 to your computer and use it in GitHub Desktop.
How to make Powershell remember the SSH key passphrase.

You should not use the Open SSH client that comes with Git for Windows. Instead, Windows 10 has its own implementation of Open SSH that is integrated with the system. To achieve this:

  1. Start the ssh-agent from Windows Services:
  • Type Services in the Start Menu or Win+R and then type services.msc to launch the Services window;
  • Find the OpenSSH Authentication Agent in the list and double click on it;
  • In the OpenSSH Authentication Agent Properties window that appears, choose Automatic from the Startup type: dropdown and click Start from Service status:. Make sure it now says Service status: Running.
  1. Configure Git to use the Windows 10 implementation of OpenSSH by issuing the following command in Powershell:
git config --global core.sshCommand C:/Windows/System32/OpenSSH/ssh.exe
  1. Configure SSH to automatically add the keys to the agent on startup by editing the config file found at $HOME\.ssh\config (full path - C:\Users\%YOUR_USERNAME%\.ssh\config), and add the following lines:
Host *
	AddKeysToAgent yes
	IdentitiesOnly yes

You can also add the following lines if you generated an SSH key with custom name or multiple SSH keys:

Host github.com
	HostName github.com
	User your_user_name
	IdentityFile ~/.ssh/your_file_name
  1. Add your SSH key to the ssh-agent by issuing the ssh-add command and entering your passphrase:
ssh-add $HOME/.ssh/your_file_name
  1. Done! Now restart your Powershell and even Windows if necessary.

If this was useful, you can buy me a coffee here. Thank you!

@kmrajibfaysal
Copy link

Thank you, Brother. It helps me a lot!

@danieldogeanu
Copy link
Author

@kmrajibfaysal You're welcome! I'm glad it does!

@BroMattMiller
Copy link

Works great. Two things:

First, I didn't need this in ~/.ssh/config:

Host *
	AddKeysToAgent yes
	IdentitiesOnly yes

After ssh-add and restarting Windows, my keys are still decrypted and I can ssh from Powershell without a problem.

Second, is there a way to get the agent to ask for the passphrase once per key? I guess I'm used to the way ssh-agent works on Linux, where you add each key to the agent by supplying the passphrase and it stays decrypted until the agent process is killed, or the key is removed. I like the extra protection of having to supply the passphrase once.

@danieldogeanu
Copy link
Author

@BroMattMiller You shouldn't have done this tutorial if that's what you wanted. As you said, you shouldn't add these in your ~/.ssh/config config file:

Host *
	AddKeysToAgent yes
	IdentitiesOnly yes

And you should set OpenSSH Authentication Agent to Manual instead of Automatic. That way it will only start when you issue the ssh-add command (or at least I hope it starts that way). It should remember your passphrases until you close Powershell, or next time you reboot your system. I'm not 100% sure it will do that though, so let me know if it works.

@BroMattMiller
Copy link

Yeah, I realized that what I wanted was kind of against what the title of this gist is saying. But, it's close!

I found that if the agent service startup is set to Manual but the agent is not running then ssh-add <key_file> fails saying that it can't connect to the agent. If the agent is running I'm prompted for the key passphrase, and the key is added. I did find that I can remove the key from the agent anytime with ssh-add -d <key_file>, so if it's important to me that the key not be decrypted automatically every time I log into Windows, then my workaround is to delete the key manually. This way I'm able to recover the behavior I was looking for.

Now, regarding the AddKeysToAgent yes directive in the ssh config file, for me it doesn't seem to cause keys to automatically add when the agent starts. It seems that ssh-add <key_file> itself stores the key permanently within the agent, regardless of this directive. After adding a key, I can even delete the key file from my .ssh directory, and the agent still remembers it, even across a reboot. I did find that with the directive set, an ssh operation, for example git pull, that needs a key that is not in the agent, will load that key into the agent after prompting for the passphrase. So, this directive seems to be a way to auto-add a key into the agent the first time it's needed. Again, the Windows interpretation of adding a key into the agent is to remember the key from that point forever, until you manually delete it.

@danieldogeanu
Copy link
Author

@BroMattMiller Oh, that's weird. I used to have trouble making the agent remember them and now it's the reverse? Unfortunately I can't test things out on my production machine, and my test PC is not functional right now, but I'll update this gist with new info when I have time to test things out. Thanks for letting me know!

@bdavidhicks
Copy link

Here is the SO link for line 1: Bad configuration option: \377\376h error when trying to git pull or similar after the steps above, I found that the encoding was incorrect for my config file contents. It should be simply UTF-8 and is easily changed with VSCode or similar editors.

I think it was because I ran an echo command to output my new config file after copy pasting the above config into Powershell so it defaulted to UFT-16 for some reason???

After I fixed the encoding to be UTF-8, everything works flawlessly! Thank you for sharing this gist!

@danieldogeanu
Copy link
Author

@bdavidhicks Oh, I never knew that was a thing... I created the file with VS Code, so it was by default UTF-8. Thanks for letting us know!

@XanderXAJ
Copy link

XanderXAJ commented Jan 7, 2022

Thanks for the hints. It's all worked very smoothly with barely any config. I've got some tips that worked for me on Windows 11:

It's possible to replace the manual instructions to enable the OpenSSH Authentication Agent with Powershell commands:

# RUN AS ADMIN: Enable and start Windows' built-in OpenSSH agent
# https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement
Get-Service ssh-agent | Set-Service -StartupType Automatic
Start-Service ssh-agent

# Add your key
ssh-add

It's also now possible to skip the core.sshCommand if you choose "Use external OpenSSH" when installing Git for Windows:
image

Tangentially related to the above SSH discussion, but if you want to use the same git credential manager as Windows on WSL, Microsoft have instructions for that.

@danieldogeanu
Copy link
Author

danieldogeanu commented Jan 7, 2022

@XanderXAJ Thanks for the tips as well! I saw that Git for Windows included the option to Use external OpenSSH, I'll update the gist as soon as I'll have the time.

Copy link

ghost commented Apr 27, 2022

Thanks everybody in the comments and @danieldogeanu for starting this all.

@danieldogeanu
Copy link
Author

@kirill-lappo-dgt Thanks for all the coffee! I wasn't planning on sleeping the next few weeks anyway! 😂

@Molter
Copy link

Molter commented Apr 29, 2022

I was receiving the following error about the MAC input:

Corrupted MAC on input.
ssh_dispatch_run_fatal: Connection to 1.2.3.4 port 22: message authentication code incorrect
fatal: Could not read from remote repository.

I found two ways to solve it:

1 - add the MAC to git config, the downside is that it forces all of the connections to use the same MAC algorithm.

git config --global core.sshCommand "C:/Windows/System32/OpenSSH/ssh.exe -m hmac-sha2-256"

2 - add the MAC algorithms in the SSH config, this ties the host to the algorithm (replace host.com by your host e.g. gitlab.com)

Host *
	HostName host.com
	IdentityFile ~/.ssh/id_rsa
	MACs hmac-sha2-256

@danieldogeanu
Copy link
Author

@Molter I've never encountered this sort of problem, but thanks for posting the solution here!

@dariopnc
Copy link

dariopnc commented May 6, 2022

Hi, for anyone stumbling here, I had another weird issue: even though ssh-agent was running, when executing ssh-add it was always replying with error fetching identities: communication with agent failed. This was solved by connecting my work computer with its domain, via VPN.

Some other examples of this behaviour are reported here: PowerShell/Win32-OpenSSH#1133 (comment)

@danieldogeanu
Copy link
Author

@dariopnc Thanks for the heads up! It does kinda make sense for the ssh-agent to not work without it being connected to the domain.

@issam-seghir
Copy link

i can't find any config file in the ~/.ssh folder !!

@danieldogeanu
Copy link
Author

@issam-seghir You have to create it manually, it's not there by default.

@tduongtad1304
Copy link

tduongtad1304 commented Feb 10, 2023

Thanks for sharing @danieldogeanu! I researched all around the Internet and was almost fed up with some temporary solutions until I found this gist.

@danieldogeanu
Copy link
Author

@tduongtad1304 You're welcome! Glad I could help!

@DJviolin
Copy link

If you installed git with git for Windows and you use git command natively in your CMD, Powershell, Terminal, you should create GIT_SSH environmental variable which pointing for the result of the where ssh command, for example: c:\Windows\System32\OpenSSH\ssh.exe. After this, git not asking for passphrase.

Source: https://stackoverflow.com/questions/18683092/how-to-run-ssh-add-on-windows

@danieldogeanu
Copy link
Author

@DJviolin Oh, nice! I didn't know you could do that. Thanks for the tip! But you still have to turn on OpenSSH Authentication Agent from Windows Services, as it's not turned on by default. And a config file is still required if you have multiple SSH keys of different types. I personally have different keys for each server or service.

@DJviolin
Copy link

Yes, sorry, I didn't mentoined it, all those steps are still neccessary. This is for edge cases where git still asking for passphrase.

@d-wojciechowski
Copy link

For people who struggle with the ssh-add command, please follow this StackOverflow thread:
https://stackoverflow.com/questions/18683092/how-to-run-ssh-add-on-windows

TLDR: enable "OpenSSH Authentication Agent" and start it, to make ssh-add work.

@SonGokussj4
Copy link

For whatever reason, all this did not help me until I also put the public key file into ~/.ssh/. With only the private key, it continued to prompt me for the keyphrase. Still, thanks for the writeup!

WOW this was IT!!!

@ThomasFrans
Copy link

Thanks for this gist. Somehow this was the only working thing I could find. Even GitHub's documentation has a terrible guide that doesn't work.

@danieldogeanu
Copy link
Author

@ThomasFrans I'm glad I could help! Yeah, I know, that's why I created this gist, I like things to work as smoothly as possible!

@deotimedev
Copy link

only thing that worked, thanks a ton

@anton-x-t
Copy link

anton-x-t commented Apr 18, 2024

Thank you! @danieldogeanu and @XanderXAJ This helped me! It's working!

In addition to the initial Gist, I also had to do this:

# In Admin PowerShell
Get-Service ssh-agent | Set-Service -StartupType Automatic
Start-Service ssh-agent

@simkin
Copy link

simkin commented Jun 20, 2024

For whatever reason, all this did not help me until I also put the public key file into ~/.ssh/. With only the private key, it continued to prompt me for the keyphrase. Still, thanks for the writeup!

WOW this was IT!!!

O my! It took me a year to figure this out! Why is this not common knowledge!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment