Windows virtual environment: Use SSH binaries from the Git suite by mpdude · Pull Request #63

Windows virtual environment: Use SSH binaries from the Git suite by mpdude · Pull Request #63 · webfactory/ssh-agent

This hopefully fixes Windows-based builds, including issue #62.

It was a much bigger rabbit hole than initially expected, and took quite some time and experimentation. It turns out there are two versions of the ssh and related binaries available in the Windows virtual environment.

C:\>C:\Windows\System32\OpenSSH\ssh.exe -v xx
OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5

C:\>C:\"Program Files"\Git\usr\bin\ssh.exe -v xx
OpenSSH_8.4p1, OpenSSL 1.1.1i  8 Dec 2020

Things seem to work when using the ssh-agent and ssh-add binaries provided as part of the Git installation, but not with the native Windows ones.

As of writing, simple git clone ... operations given in a GHA workflow file will use the ssh client from the Git suite, without further configuration. I don't know if this might change in the future; git-for-windows/git#2944 is about possibly changing this.

As a reminder to myself, just in case we need to get back to this sometime:

Not really clear what the source repos for the version provided by Windows are. Candidates are https://github.com/PowerShell/OpenSSH-Portable or https://github.com/PowerShell/Win32-OpenSSH.
In the Windows version, IdentityFile cannot point to a file containing the public key part, it complains about the "invalid format".
We could write private keys to these files and encrypt them (ssh-keygen -p ...), but that would need to happen before loading into the agent, otherwise it does not recognize keys later on
To load encrypted keys, the passphrase cannot be provided on stdin to ssh-add, but instead the DISPLAY env var has to be set to some dummy value. That will make ssh-add fork the program from SSH_ASKPASS, where we can place a simple program to pass the value of another env var back as the passphrase.
Windows ssh client seems to ignore keys from the agent when IdentitiesOnly=yes, see ssh-agent is ignored when with "IdentitiesOnly yes" config file setting PowerShell/Win32-OpenSSH#1550
Things might work with IdentitiesOnly=false on Windows, if the specified keys are tried before the other ones.
A few times, I stumbled across ssh complaining that /dev/tty is not a file – seems to be an issue in how that SSH client tries to detect a terminal (Update _PATH_TTY to point to the console PowerShell/openssh-portable#447)

I don't know if "mixing" the SSH client and/or other binaries (the agent) from Windows and Git has any other side effects or implications.

🤞🏻