Windows ssh as administrator not working with keys not named `id_rsa`

Question

I'm attempting to pull down a GitHub repo in Windows 11 using PowerShell. My machine is configured with OpenSSH Client in Windows.

I verified:

ssh-agent is running
same key is registered with ssh-agent as with GitHub profile (and same key overall
ssh config file is empty
I can authenticate to GitHub (ssh -T git@github.com).

When I try pulling down code from GitHub using Windows PowerShell or cmd, GitHub does not recognize the auth. When I pull down code from GitHub using Ubuntu (in the same host via WSL2), GitHub recognizes the auth and clones the repo.

Why?

OpenSSH is installed separately in Windows

PS C:\Windows\System32\OpenSSH> ssh -V
OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3

and in WSL2 Ubuntu.

nick@Nix-XPS-XIII:~/test$ ssh -V
OpenSSH_8.9p1 Ubuntu-3ubuntu0.4, OpenSSL 3.0.2 15 Mar 2022

In Windows, SSH keys and configs are in two locations: PS C:\ProgramData\ssh> and PS %USERPROFILE%\.ssh>.

Windows

OpenSSL installed using Windows Settings | Apps | Optional features.

PS C:\Users\nick> Get-WindowsCapability -Online | Where-Object { $_.Name -like 'OpenSSH.Client*' }
Name  : OpenSSH.Client~~~~0.0.1.0
State : Installed
PS C:\Windows\System32\OpenSSH> dir
Directory: C:\Windows\System32\OpenSSH


Mode                 LastWriteTime         Length Name

-----            5/6/2022 10:15 AM         320512 scp.exe
-----            5/6/2022 10:15 AM         398848 sftp.exe
-----            5/6/2022 10:15 AM         506880 ssh-add.exe
-----            5/6/2022 10:15 AM         393216 ssh-agent.exe
-----            5/6/2022 10:15 AM         720896 ssh-keygen.exe
-----            5/6/2022 10:15 AM         572416 ssh-keyscan.exe
-----            5/6/2022 10:15 AM        1073152 ssh.exe

The key is the correct key in GitHub:

PS C:\Users\nick> ssh-add -l -E sha256
256 SHA256:jLE1Wa+qZ+Gwxvcw1PEWFeuoKnNxkQDU8ZP7O0optmo nick@Nix-XPS-XIII (ED25519)

GitHub accepts the authentication.

PS C:\Users\nick> ssh -vT git@github.com
OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3
debug1: Reading configuration data C:\\Users\\nick/.ssh/config
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to github.com [140.82.112.4] port 22.
debug1: Connection established.
debug1: identity file C:\\Users\\nick/.ssh/id_rsa type -1
debug1: identity file C:\\Users\\nick/.ssh/id_rsa-cert type -1
debug1: identity file C:\\Users\\nick/.ssh/id_dsa type -1
debug1: identity file C:\\Users\\nick/.ssh/id_dsa-cert type -1
debug1: identity file C:\\Users\\nick/.ssh/id_ecdsa type -1
debug1: identity file C:\\Users\\nick/.ssh/id_ecdsa-cert type -1
debug1: identity file C:\\Users\\nick/.ssh/id_ecdsa_sk type -1
debug1: identity file C:\\Users\\nick/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file C:\\Users\\nick/.ssh/id_ed25519 type -1
debug1: identity file C:\\Users\\nick/.ssh/id_ed25519-cert type -1
debug1: identity file C:\\Users\\nick/.ssh/id_ed25519_sk type -1
debug1: identity file C:\\Users\\nick/.ssh/id_ed25519_sk-cert type -1
debug1: identity file C:\\Users\\nick/.ssh/id_xmss type -1
debug1: identity file C:\\Users\\nick/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.6
debug1: Remote protocol version 2.0, remote software version babeld-dd067d10
debug1: compat_banner: no match: babeld-dd067d10
debug1: Authenticating to github.com:22 as 'git'
debug1: load_hostkeys: fopen C:\\Users\\nick/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU
debug1: load_hostkeys: fopen C:\\Users\\nick/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'github.com' is known and matches the ED25519 host key.
debug1: Found key in C:\\Users\\nick/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: nick@Nix-XPS-XIII ED25519 SHA256:jLE1Wa+qZ+Gwxvcw1PEWFeuoKnNxkQDU8ZP7O0optmo agent
debug1: Will attempt key: C:\\Users\\nick/.ssh/id_rsa
debug1: Will attempt key: C:\\Users\\nick/.ssh/id_dsa
debug1: Will attempt key: C:\\Users\\nick/.ssh/id_ecdsa
debug1: Will attempt key: C:\\Users\\nick/.ssh/id_ecdsa_sk
debug1: Will attempt key: C:\\Users\\nick/.ssh/id_ed25519
debug1: Will attempt key: C:\\Users\\nick/.ssh/id_ed25519_sk
debug1: Will attempt key: C:\\Users\\nick/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: nick@Nix-XPS-XIII ED25519 SHA256:jLE1Wa+qZ+Gwxvcw1PEWFeuoKnNxkQDU8ZP7O0optmo agent
debug1: Server accepts key: nick@Nix-XPS-XIII ED25519 SHA256:jLE1Wa+qZ+Gwxvcw1PEWFeuoKnNxkQDU8ZP7O0optmo agent
debug1: Authentication succeeded (publickey).
Authenticated to github.com ([140.82.112.4]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: filesystem full
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: client_input_hostkeys: searching C:\\Users\\nick/.ssh/known_hosts for github.com / (none)
debug1: client_input_hostkeys: searching C:\\Users\\nick/.ssh/known_hosts2 for github.com / (none)
debug1: client_input_hostkeys: hostkeys file C:\\Users\\nick/.ssh/known_hosts2 does not exist
debug1: client_input_hostkeys: no new or deprecated keys from server
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
Hi nmdemarco! You've successfully authenticated, but GitHub does not provide shell access.
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2112, received 2576 bytes, in 0.1 seconds
Bytes per second: sent 16591.1, received 20236.2
debug1: Exit status 1

The ssh config file is empty.

    Directory: C:\Users\nick\.ssh
Mode                 LastWriteTime         Length Name

-a---          10/15/2023  2:01 PM              0 config
PS C:\Users\nick.ssh>

Attempting to clone a project does not work

PS C:\Users\nick\projects> git clone git@github.com:practichem/arista-protocolbridge.git
Cloning into 'arista-protocolbridge'...
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
PS C:\Users\nick\projects>

score 1 · Answer 1 · answered Oct 24 '23 at 09:30

As Tom Yan suggests in a comment, Git for Windows ships its own OpenSSH client. This client is not configured to use Microsoft OpenSSH configuration in C:\ProgramData\ssh and will also not use the Microsoft OpenSSH Agent. The Microsoft OpenSSH agent uses Named Pipes to listen by default, while the Git OpenSSH agent uses emulated UNIX sockets.

There are two (technically three) possible solutions:

Make the Git OpenSSH client use the Microsoft OpenSSH agent. Because it cannot connect to Windows Named Pipes, you need a proxy. (I haven’t tried any and as such cannot recommend one.)
Make Git use the Microsoft OpenSSH client. Simply run git config --global core.sshcommand "C:/Windows/System32/OpenSSH/ssh.exe".
(Stop using Microsoft OpenSSH altogether and only use Git’s OpenSSH.)

You can use GIT_SSH_COMMAND to get verbose logging. On PowerShell, you’d use it like this:

$env:GIT_SSH_COMMAND="ssh -v"
git clone git@github.com:practichem/arista-protocolbridge.git

You’ll easily be able to tell whether Git’s OpenSSH client is used or the Microsoft OpenSSH client. Git’s OpenSSH will never refer to __PROGRAMDATA__ or the like.

This environment variable probably overrides the core.sshcommand setting mentioned above.

Windows ssh as administrator not working with keys not named `id_rsa`

Windows

1 Answers1