Using ssh-agent with git on Windows

Unlock your SSH keys

Posted by David Van Loon on January 31, 2019

I have multiple passphrase-protected SSH keys on my laptop that allow me to authenticate with various devices and services. I don’t mind typing my passphrase when logging in to a remote computer via SSH. To me, the action is conceptually similar to entering a local password at login. However, since I use SSH keys for authentication to GitHub, every git command that affects a remote repository results in a prompt for an SSH key passphrase.

This is really annoying.

I’ve seen ssh-agent mentioned as a solution to this issue, but only in the context of a Linux environment. How can I take advantage of this functionality on my Windows laptop? The ssh-agent that is included with git, while technically a Windows executable, is configured for a pseudo-Linux environment.

Thankfully, in Windows 11 and newer versions of Windows 10, OpenSSH ships as an optional feature. After enabling the feature, a proper ssh-agent is available for use.

Enabling and starting ssh-agent

After enabling OpenSSH in Windows, the ssh-agent service needs to be enabled. Open an elevated PowerShell window and run:

PS> Get-Service ssh-agent | Set-Service -StartupType Automatic

This will start the ssh-agent service automatically when your computer boots up.

Verify that your PATH is properly configured by executing the following:

PS> Get-Command ssh | Select-Object Source

Source
------
C:\Windows\System32\OpenSSH\ssh.exe

Validate that your output is similar to mine. The ssh executable should be in the System32 folder, not the Git for Windows directory. If your output doesn’t match, your PATH variable probably needs to be modified to prioritize the C:\Windows\System32\OpenSSH directory over the Git for Windows directory.

Start the ssh-agent service by executing the ssh-agent process.

PS> ssh-agent

The ssh-agent service should now be running. Since we set the ssh-agent service to start automatically, you’ll only have to do this once.

Importing keys

Keys need to be imported to the ssh-agent service so that they can be unlocked for use. Execute the following and follow the prompts to load and unlock your keys.

PS> ssh-add

You can view the available keys by running ssh-add -l.

Read more about importing ssh keys here.

Linking to git

Git for Windows uses the ssh binaries included with git by default. While this works well enough in most situations, one side-effect is that git has no idea how to talk to the Windows ssh-agent service. For git commands to use the Windows ssh-agent service, git needs to be informed of the system OpenSSH path. To accomplish this, the environment variable GIT_SSH needs to be set with the path of the system OpenSSH executable.

Run the following command to update the environment variable:

PS> [Environment]::SetEnvironmentVariable("GIT_SSH", "$((Get-Command ssh).Source)", [System.EnvironmentVariableTarget]::User)

Open a new PowerShell window to activate the new environment variables.

You’re done!

Test remote git commands with SSH authentication (e.g. git pull) and verify that the passphrase prompt does not occur with each command.

Congrats, you’ve just saved yourself a lot of time down the road.