How to make Powershell remember the SSH key passphrase.

MakePowerShellRememberSSHPassphrase.md

You should not use the Open SSH client that comes with Git for Windows. Instead, Windows 10 has its own implementation of Open SSH that is integrated with the system. To achieve this:

1. Start the ssh-agent from Windows Services:

• Type Services in the Start Menu or Win+R and then type services.msc to launch the Services window;
• Find the OpenSSH Authentication Agent in the list and double click on it;
• In the OpenSSH Authentication Agent Properties window that appears, choose Automatic from the Startup type: dropdown and click Start from Service status:. Make sure it now says Service status: Running.

2. Configure Git to use the Windows 10 implementation of OpenSSH by issuing the following command in Powershell:

git config --global core.sshCommand C:/Windows/System32/OpenSSH/ssh.exe

3. Configure SSH to automatically add the keys to the agent on startup by editing the config file found at $HOME\.ssh\config (full path - C:\Users\%YOUR_USERNAME%\.ssh\config), and add the following lines:

Host *
	AddKeysToAgent yes
	IdentitiesOnly yes

You can also add the following lines if you generated an SSH key with custom name or multiple SSH keys:

Host github.com
	HostName github.com
	User your_user_name
	IdentityFile ~/.ssh/your_file_name

4. Add your SSH key to the ssh-agent by issuing the ssh-add command and entering your passphrase:

ssh-add $HOME/.ssh/your_file_name

5. Done! Now restart your Powershell and even Windows if necessary.

If this was useful, you can buy me a coffee here. Thank you!

If you installed git with git for Windows and you use git command natively in your CMD, Powershell, Terminal, you should create GIT_SSH environmental variable which pointing for the result of the where ssh command, for example: c:\Windows\System32\OpenSSH\ssh.exe. After this, git not asking for passphrase.

Source: https://stackoverflow.com/questions/18683092/how-to-run-ssh-add-on-windows

@DJviolin Oh, nice! I didn't know you could do that. Thanks for the tip! But you still have to turn on OpenSSH Authentication Agent from Windows Services, as it's not turned on by default. And a config file is still required if you have multiple SSH keys of different types. I personally have different keys for each server or service.

Yes, sorry, I didn't mentoined it, all those steps are still neccessary. This is for edge cases where git still asking for passphrase.

For people who struggle with the ssh-add command, please follow this StackOverflow thread:
https://stackoverflow.com/questions/18683092/how-to-run-ssh-add-on-windows

TLDR: enable "OpenSSH Authentication Agent" and start it, to make ssh-add work.

For whatever reason, all this did not help me until I also put the public key file into ~/.ssh/. With only the private key, it continued to prompt me for the keyphrase. Still, thanks for the writeup!

WOW this was IT!!!

Thanks for this gist. Somehow this was the only working thing I could find. Even GitHub's documentation has a terrible guide that doesn't work.

@ThomasFrans I'm glad I could help! Yeah, I know, that's why I created this gist, I like things to work as smoothly as possible!

only thing that worked, thanks a ton

Thank you! @danieldogeanu and @XanderXAJ This helped me! It's working!

In addition to the initial Gist, I also had to do this:

# In Admin PowerShell
Get-Service ssh-agent | Set-Service -StartupType Automatic
Start-Service ssh-agent

For whatever reason, all this did not help me until I also put the public key file into ~/.ssh/. With only the private key, it continued to prompt me for the keyphrase. Still, thanks for the writeup!

WOW this was IT!!!

O my! It took me a year to figure this out! Why is this not common knowledge!

Thank you! Could solve the "FATAL ERROR: No supported authentication methods available (server sent: publickey)
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
failed to run git: exit status 128" symptom with this!

Thank you! Could solve the "FATAL ERROR: No supported authentication methods available (server sent: publickey) fatal: Could not read from remote repository.

Please make sure you have the correct access rights and the repository exists. failed to run git: exit status 128" symptom with this!

You either made a mistake when setting up SSH, or didn't add your public key to GitHub/GitLab, to allow access through SSH. Please follow their tutorial on how to set up SSH, and only follow this tutorial to make PowerShell remember your SSH key. Also, please make sure you're using the repo via SSH, and not HTTPS! Check the remote URL for the repo!

I can't debug for you, but here's what ChatGPT has to say.

Many thanks to all of you for your contributions. It really drives me mad not to find out how this whole stuff is working on Windows 11 with the OpenSSH Authentication Agent. It works, it even is ultra-convenient, it just is not clear how it works. The normal expected behavior of an SSH Agent for me is, that it loads my keys that I add to it (in my case on Windows 11 with ssh-add ~/.ssh/my_keyname) into the process memory and asks me for a password (if I set one, what I always do). In my .ssh folder there are always both files that build a keypair. The private key and the corresponding .pub public key file. All this works fine. I use ssh-add to add my key to the agent and then do my stuff on github and on some vps and linux vms. All fine. But now I shutdown or reboot my machine (sometimes you have to do something away from the machines, I guess) and come back later to start it up again. The fact, that now, even when I had the startup type of the OpenSSH Authentication Agent set to manual and I started it after my login, my ssh key with a secure passphrase works without ever asking me again for the passphrase is nuts. I was not able to find someone who could explain me, where and how the passphrase is cached, so that the agent can use my key permanently without ever needing me to enter the passphrase again. I know, it's super convenient and some might think why I complain, but it is disturbing. I am working with some pretty sensitive environments and I truly want to know, how this credential caching works. Till I found out, I will use ssh-add -D to delete the keys from the agent, whenever I do no longer need them. So if anybody can tell me how this works, it would make my sleep better again. TIA.

@MarkusEicher I'm honestly not sure how it works, but from what I could find out, the OpenSSH Authentication Agent on Windows uses something called DPAPI (Data Protection API), to store user keys (not just SSH). It technically doesn't store your passwords/passphrases, but the contents of your private keys, into RAM. I can't tell you more than that, as this topic is way too advanced for me, but here are some links that might help you:

• Data Protection API - Wikipedia
• How to Use Data Protection - .NET
• Key-based authentication in OpenSSH for Windows
• PowerShell/Win32-OpenSSH Wiki