1

For years, every time I (or anyone else in my company, it seems) tries to use git on windows, everything will work fine for awhile, until suddenly it acts like it doesn't know what an ssh key is anymore. It'll stop prompting me for it's password, and instead ask me for the git server's password instead.

ssh -v pointed me in the right direction, namely that windows DOES know about my ssh key, but it doesn't seem to be accepted by my server.

    $ ssh -v git@git.myhost.lan
OpenSSH_6.6.1, OpenSSL 1.0.1i 6 Aug 2014
debug1: Reading configuration data /c/Users/eschjen/.ssh/config
debug1: /c/Users/eschjen/.ssh/config line 1: Applying options for git.myhost
.lan
debug1: Connecting to git.myhost.lan [10.116.22.40] port 22.
debug1: Connection established.
debug1: identity file /c/Users/eschjen/.ssh/id_rsa type 1
debug1: identity file /c/Users/eschjen/.ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA ae:81:77:0d:1c:8e:6a:aa:a8:69:36:1b:e4:ca:33:ee
debug1: Host 'git.myhost.lan' is known and matches the RSA host key.
debug1: Found key in /c/Users/eschjen/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mi
c,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /c/Users/eschjen/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mi
c,password
debug1: Next authentication method: password
git@git.myhost.lan's password:

Looking at my server, I could see that my old windows public ssh key is uploaded, but that it no longer matches the one on my machine. Uploading the new key as if it were a new computer fixes the problem completely.

Is this something that windows just does occasionally? Why on earth would my key suddenly be invalid? I generated it probably less than a year ago.

J.R.
  • 5,789
  • 11
  • 55
  • 78
  • "Is this something that windows just does occasionally?" Windows doesn't ship with SSH support, so I would be very surprised if WIndows was actually doing anything like that. How did you install Git? – ChrisGPT was on strike Jan 04 '16 at 12:18

2 Answers2

2

Windows does not reset the ssh keys by itself.

But id_rsa/id_rsa.pub are the default ssh private and public key filenames.
That means if any other app generates a new set of keys, said keys will be overwritten.

A possible workaround, in order to improve the robustness of the ssh setup, is to:

  • rename your keys in in %HOME%\.ssh:
  • add in %HOME%\.ssh\config the full path of the private key

Something like:

Host git.myhost.lan
  HostName git.myhost.lan
  User git
  IdentityFile C/Users/<yourLogin>/.ssh/git.myhost.lan

Then try ssh -Tv git.myhost.lan (no need for git@)

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • If another program over-wrote my ssh key, wouldn't it also change the password associated with it, or make it be no password at all? – J.R. Jan 04 '16 at 15:25
  • 1
    @Jenny there is no "password" in ssh, there is only passphrase-protected private key: you can generate a private key with or (generally) without passphrase. When ssh ask for your password, it is simply because it fails to use/find your ssh keys and falls back to basic user authentication on the *server* side (nothing to do with your local ssh keys, overridden or not) – VonC Jan 04 '16 at 15:29
  • Then I mispoke: The passphrase protecting my private key is unchanged from when git originally worked, and when it stopped working and I had to reupload the key to my server. Is this expected even if another program changed my private key? – J.R. Jan 05 '16 at 12:11
  • @Jenny No, which means what you enter might not be a ssh private key passphrase. Can you show me a copy or screenshot of what is displayed when you have to enter anything? – VonC Jan 05 '16 at 12:17
  • "Enter passphrase for key '/h/.ssh/id_rsa': " When I enter the passphrase I already had set up (not blank or some kind of default), it works. At this point, is it the server's fault? If so, why does it seem to only forget windows keys? – J.R. Jan 05 '16 at 14:16
  • @Jenny That has nothing to do with the server, and everything to do with the private key which is, per its very "private" nature, local to your workstation. If that private key is the same as the old one, its passphrase would be the same. – VonC Jan 05 '16 at 14:23
  • When I say "server's fault", I mean, is it possible the server forgot my public key? If the private key is the same (proven by the consistent passphrase), then the problem must be with the public key. – J.R. Jan 08 '16 at 12:01
  • "is it possible the server forgot my public key?" Maybe, anything is possible for the server to somehow corrupt/override something in `~/.ssh/authorized_keys`. – VonC Jan 08 '16 at 12:04
0

Another possible option is that your ssh-agent is stopped for some reason so you have to start it

How to restart ssh-agent?

// restart ssh agent
eval $(ssh-agent)

// verify that your ssh keys are added to the agent
// if you dont specify key it will use the default keys
ssh-add
Community
  • 1
  • 1
CodeWizard
  • 128,036
  • 21
  • 144
  • 167
  • 1
    I don't think that's the problem in this case: "Looking at my server, I could see that my old windows public ssh key is uploaded, but that it no longer matches the one on my machine. Uploading the new key as if it were a new computer fixes the problem completely." – ChrisGPT was on strike Jan 04 '16 at 12:39
  • Cool, so simply generate new ones and that it. you can obviously have more then one key per server – CodeWizard Jan 04 '16 at 12:40
  • Still this is a great tip if some will need it in the future. From my experience this is a common problem related to this issues. – CodeWizard Jan 04 '16 at 12:41