Why git can’t remember my passphrase under Windows

I have just start using git and i can’t get it to remember my passphrase I’m using cmd.exe elevated and my git host is github and i have create a ssh key like that guide on github

but i still get

*subnus.mvc>git push origin master
Enter passphrase for key '/c/Users/Subnus/.ssh/id_rsa':

I realize that this question is coming up on two years old, but I had the same issue and several answers here did not completely answer the question for me. Here are three step-by-step solutions, depending on whether you use TortoiseGit in addition to msysgit or not.

First solution Assumes Windows, msysgit, and PuTTY.

  1. Install msysgit and PuTTY as instructed.

  2. (Optional) Add PuTTY to your path. (If you do not do this, then any references to PuTTY commands below must be prefixed with the full path to the appropriate executable.)

  3. If you have not done so already, then generate a key hash as instructed at GitHub or as instructed by your Git host.

  4. Again, if you have not already done so, convert your key for use with PuTTY’s pageant.exe using puttygen.exe. Instructions are in PuTTY’s documentation, in this helpful guide, and several other places in cyberspace.

  5. Run PuTTY’s pageant.exe, open your .ppk file (“Add Key”), and provide your passphrase for your key.

  6. Access Windows’ environment variables dialog (Right-click on “Computer”, Click on “Properties”, Click on “Advanced system settings” or the “Advanced” tab, click on “Environment Variables”). Add the following environment variable:

    GIT_SSH=C:fullpathtoplink.exe

    Replace “C:fullpathto” with the full installation path to PuTTY, where plink.exe is found. It is probably best to add it to the “User variables” section. Also, make sure that the path you use to plink.exe matches the path you use for Pageant (pageant.exe). In some cases, you may have several installations of PuTTY because it might be installed along with other applications. Using plink.exe from one installation and pageant.exe from another will likely cause you trouble.

  7. Open a command prompt.

  8. If you are trying to connect to a git repository hosted at Github.com then run the following command:

    plink.exe [email protected]

    If the git repository you are trying to connect to is hosted somewhere else, then replace [email protected] with an appropriate user name and URL. (Assuming Github) You should be informed that the server’s host key is not cached, and asked if you trust it. Answer with a y. This will add the server’s host key to PuTTY’s list of known hosts. Without this step, git commands will not work properly. After hitting enter, Github informs you that Github does not provide shell access. That’s fine…we don’t need it. (If you are connecting to some other host, and it gives you shell access, it is probably best to terminate the link without doing anything else.)

  9. All done! Git commands should now work from the command line. You may want to have pageant.exe load your .ppk file automatically at boot time, depending on how often you’ll be needing it.

Second solution Assumes Windows, msysgit, and TortoiseGit.

TortoiseGit comes with PuTTY executables and a specially modified version of plink (called TortoisePlink.exe) that will make things easier.

  1. Install msysgit and TortoiseGit as instructed.

  2. If you have not done so already, then generate a key hash as instructed at GitHub or as instructed by your Git host.

  3. Again, if you have not already done so, convert your key for use with TortoiseGit’s pageant.exe using TortoiseGit’s puttygen.exe. Instructions are in PuTTY’s documentation, in the helpful guide linked to in the first solution, and in several other places in cyberspace.

  4. Run TortoiseGit’s pageant.exe, open your .ppk file (“Add Key”) and provide your passphrase for your key.

  5. Access Windows’ environment variables dialog (Right-click on “Computer”, Click on “Properties”, Click on “Advanced system settings” or the “Advanced” tab, click on “Environment Variables”). Add the following environment variable:

    GIT_SSH=C:fullpathtoTortoisePlink.exe

    Replace “C:fullpathto” with the full installation path to TortoiseGit, where TortoisePlink.exe is found. It is probably best to add it to the “User variables” section. Also, make sure that the path you use to TortoisePlink.exe matches the path you use for Pageant (pageant.exe). In some cases, you may have several installations of PuTTY because it might be installed along with other applications. Using TortoisePlink.exe from the TortoiseGit installation and pageant.exe from another installation of a different application (or from a standalone PuTTY installation) will likely cause you trouble.

  6. All done! Git commands should now work from the command line. The first time you try to connect to your git repository you will probably be informed that the server’s host key is not cached, and asks if you trust the server. Click on “Yes”. (This is TortoisePlink.exe in action.)

    You may want to have pageant.exe load your .ppk file automatically at boot time, depending on how often you’ll be needing it.

Third solution Assumes Windows, msysgit, and the native command prompt.

  1. Install msysgit
  2. Make sure to allow git to be used on the MS-DOS command prompt
  3. Run start-ssh-agent
  4. Enter SSH passphrases
  5. All done! Git commands should now work in the native command prompt.

Every time I set up a new desktop I forget these instructions, so I’m adding another answer here since I stumble across it equally often!


Quick Steps for Impatient Users Like Me

  1. Enable the OpenSSH Authentication Agent service and make it start automatically.
    • 👉 Update 👈
    • With the latest Windows update Version 10.0.19042.867 I had to re-do this step!
  2. Add your SSH key to the agent with ssh-add on the command line.
  3. Test git integration, if it still asks for your passphrase, continue on.
  4. Add the environment variable $ENV:GIT_SSH=C:WindowsSystem32OpenSSHssh.exe to your session, or permanently to your user environment.

Detailed Steps: Overview

Windows has been shipping with OpenSSH for some time now. It includes all the necessary bits for ssh to work alongside Git, but it still seems to need some TLC before it works 100% seamlessly. Here’s the steps I’ve been following with success as of Windows ver 10.0.18362.449 (you can see your Windows 10 version by opening a cmd.exe shell and typing ver).

I assume here that you already have your SSH key setup, and is located at ~/.ssh/id_rsa

Enable the ssh-agent service on your Windows 10 box.

  1. Start-> Type ‘Services’ and click on the Services App that appears.
  2. Find the OpenSSH Authentication Agent service in the list.
  3. Right-click on the OpenSSH Authentication Agent service, and choose ‘Properties’.
  4. Change the Startup type: to Automatic.
  5. Click the Start button to change the service status to Running.
  6. Dismiss the dialog by clicking OK, and close the Services app.

Add your key to the ssh-agent

  1. Open your shell of preference (I’ll use Windows Powershell in this example, applies to Powershell Core too).
  2. Add your SSH key to the ssh-agent: ssh-add (you can add the path to your key as the first argument if it differs from the default).
  3. Enter your passphrase if/when prompted to do so.

Try Git + SSH

  1. Open your shell (again, I’m using Powershell) and clone a repo. git clone [email protected]:octocat/Spoon-Knife
  2. If you see this prompt, continue on to the next section:
Enter passphrase for key '/c/Users/your_user_name/.ssh/id_rsa':

Set your GIT_SSH Environment Variable

In any session you can simply set this environment variable and the prompt for your passphrase will stop coming up and ssh will use the ssh-agent on your behalf. Alternatively, you can set your passphrase into your user’s environment permanently.

To set GIT_SSH in the current shell only:

  1. Open your shell of preference. (Powershell for me)
  2. Set the environment variable GIT_SSH to the appropriate ssh.exe: $Env:GIT_SSH=$((Get-Command -Name ssh).Source)
  3. Retry the steps in Try Git + SSH above.

To set GIT_SSH permanently

  1. Open File Explorer. Start-> type ‘File Explorer’ and click on it in the list.
  2. Right-click ‘This PC’ and click on ‘Properties’.
  3. Click on ‘Advanced system settings’.
  4. Click the ‘Environment Variables…’ button.
  5. Under ‘User variables for your_user_name’ click New…
  6. Set Variable name: field to GIT_SSH
  7. Set the Variable value: field to path-to-ssh.exe (typically C:WindowsSystem32OpenSSHssh.exe).
  8. Click OK to dismiss the New User Variable dialog.
  9. Click OK to dismiss the Environment Variables dialog.
  10. Retry the steps in Try Git + SSH above.

Note that this is likely going to change with new steps/procedures as Windows 10 progresses and as I learn more. I will attempt to keep this updated, I look forward to feedback in the comments.

In case you are using Git bash under Windows you can perform the following:

eval `ssh-agent -s`
ssh-add ~/.ssh/*_rsa

it will ask for pass phrase in the second command, and that’s it. Each additional action you will need to do (which once required pass phrase) won’t ask you for the pass phrase (see an example in the screen shot below):

adding pass phrase in Git bash on Windows

For anybody needing more detailed instructions, see this page:
http://help.github.com/working-with-key-passphrases/

One extra solution 5 years, 8 months and 6 days after the question was posted wouldn’t be a bad idea so here goes.

NOTE: Assumes you are using a windows computer.

  1. Download the git-credential-winstore.
  2. Run it! If you have GIT in your PATH environment variable, it should just work. If you don’t, run git-credential-winstore -i C:PathToGit.exe.

The next time you attempt to commit to a repository, you’ll be prompted to enter your credentials. That should be it. You will not be asked for your credentials any longer until you change your password.


Just for your knowledge… Your credentials are stored in the Windows Credential Store

Where are you storing my credentials?

This app just uses the existing Windows Credential Store to hold your credentials. You can see the stored credentials by going to Control Panel > User Accounts > Credential Manager and choosing “Windows Credentials”. The entries starting “git:” are from git-credential-winstore.

If you set a password for your key file, you’ll always need to type in that password when connecting. If you create a passwordless key, then you won’t have to type it every time, however, anyone with access to your key file can now connect to your github account.

ssh-agent may also work. Try running that and see if it will remember your passphrase.

[edit – misread the question, this is an answer to a related problem. leaving rephrased version for posterity]

My case was that I was trying to push to a repo that was hosted on one of our servers. Whenever I tried to do a push, git would ask me for my password (nb – password, not the passphrase to my private key).

By adding my public key to the authorised keys on the server, I was able to get password-free pushes to that server. And, because there was no passphrase on my private key (which is bad practice btw!) I didn’t need to type anything at all in.

Here’s the command to add your public key to a server. It assumes the user git is the user on the server.

cat .ssh/id_rsa.pub | ssh [email protected]_MASTER_IP 'cat >> .ssh/authorized_keys'

You could achieve the same thing by logging onto the server, and manually appending your public key to the file at ~/.ssh/authorized_keys

Let’s assume you’d like to use a pure Git Bash only solution without using TortoiseGit or PuTTY. Also, you don’t want to store your passphrases permanently as it’s almost the same as if you would’ve generated your SSH key without a passphrase in the first place. But you still want to use some caching.

For caching purposes ssh-agent process is used, which is included with the Git Bash distribution. This process isn’t started by default, so it needs to be launched first. For any SSH keys to be cached they should be added to this process with ssh-add command which will prompt you for a key’s passphrase and store it in memory.

Drawbacks of other solutions:

  • Auto-launching ssh-agent like in GitHub’s article asks for a passphrase right from the start when you launch Git Bash, regardless of whether you’ll need to use your SSH key this session or not. If you’re working with your local repo today you’ll probably want to provide a passphrase only when really needed (e.g. when interacting with a remote repo).
  • If you launch your ssh-agent like in GitLab’s article with eval $(ssh-agent -s) you’re probably tired of typing that in each time. Chances are, eventually, you’ve added those two lines to your .bashrc config to auto-launch. Downsides are the same as above plus an extra one: each time you launch a new Git Bash terminal you’ll get an extra ssh-agent process (GitHub’s bash script checks if that process has already started).
  • Like the two above but especially so when you have separate SSH keys for different hosts, e.g. one for GitHub and another one for GitLab, so providing them all at once is annoying and inconvenient.

So this solution is for those who wonder how to make Git Bash ask for a passphrase only once per Windows session and only when really needed. It resembles the behavior of passphrases management with GnuPG commits auto-signing using default-cache-ttl.

Configuring SSH to ask for passphrases once, when needed, using Git Bash only

  1. First, we want to auto-launch the ssh-agent when starting a Git Bash shell. We’ll use a modified GitHub’s script for that as it checks whether the process has already started, but we don’t want it to ssh-add keys right away. This script goes to your ~/.bashrc or ~/.profile or ~/.bash_profile (~ is your User’s home directory like C:UsersUsername – run cd ~ and then pwd for the Git Bash to print it out):

    ### Start ssh-agent
    
    env=~/.ssh/agent.env
    
    agent_load_env () { test -f "$env" && . "$env" >| /dev/null ; }
    
    agent_start () {
        (umask 077; ssh-agent >| "$env")  # use -t here for timeout
        . "$env" >| /dev/null ; }
    
    agent_load_env
    
    # agent_run_state: 0=agent running w/ key; 1=agent w/o key; 2= agent not running
    agent_run_state=$(ssh-add -l >| /dev/null 2>&1; echo $?)
    
    if [ ! "$SSH_AUTH_SOCK" ] || [ $agent_run_state = 2 ]; then
        agent_start
    fi
    
    unset env
    
  2. Now edit or create a ~/.ssh/config file and add an AddKeysToAgent option for each host stanza you want caching to be turned on (you can also turn it on globally by placing the directive at the beginning of the file before all the host declarations):

    # GitHub.com
    Host github.com
      Preferredauthentications publickey
      IdentityFile ~/.ssh/id_ed25519_github
      AddKeysToAgent yes
    
    # GitLab.com
    Host gitlab.com
      Preferredauthentications publickey
      IdentityFile ~/.ssh/id_ed25519_gitlab
      AddKeysToAgent yes
    

    From ssh config man page: If this option is set to yes and a key is loaded from a file, the key and its passphrase are added to the agent with the default lifetime, as if by ssh-add(1).

The default maximum lifetime is forever or until the ssh-agent process gets killed (either manually from task manager or when your PC is shut down). If you wish to use a finite timeout you can set it with ssh-agent’s -t parameter. Change the line in the bash script from the first step above, e.g. for 30 minutes key cache lifetime:

(umask 077; ssh-agent -t 30m >| "$env")

See here for other time format qualifiers.

I realise this is several years overdue, but I stumbled across this question trying to find a solution for it, and I found something that suits all levels of expertise, so I thought I’d share.

GitHub provide a very helpful installer that makes everything nice and easy: https://help.github.com/articles/caching-your-github-password-in-git/

You can create a .bashrc file in the home directory of your user like C:/Users/youruser, and put there:

env=~/.ssh/agent.env

agent_load_env () { test -f "$env" && . "$env" >| /dev/null ; }

agent_start () {
    (umask 077; ssh-agent >| "$env")
    . "$env" >| /dev/null ; }

agent_load_env

# agent_run_state: 0=agent running w/ key; 1=agent w/o key; 2= agent not running
agent_run_state=$(ssh-add -l >| /dev/null 2>&1; echo $?)

if [ ! "$SSH_AUTH_SOCK" ] || [ $agent_run_state = 2 ]; then
    agent_start
    ssh-add
elif [ "$SSH_AUTH_SOCK" ] && [ $agent_run_state = 1 ]; then
    ssh-add
fi

unset env

This script executes every time after bash runs. So you will need to enter the password only once, when git-bash is started!

Some versions of bash require .bash_profile file instead .bashrc, so just in case clone .bashrc:

copy .bashrc .bash_profile

can try adding -k arg when you do;

ssh-add -k ~/.ssh/id_rsa

Make sure that your ~/.ssh/config does not contain

UseKeychain yes

which prevents ssh-add from persisting to the ssh-agent.

Leave a Comment