I have a remote linux VPS checkout that I am working to keep in sync with my windows checkout. I can log into the VPS using ssh without a passphrase. But when fossil uses ssh to push/pull, I get prompted for the passphrase. How can I configure fossil/ssh to not prompt me. (I know I could remove the passphrase from ssh but I don't want to for security.)

dougf@drop1:~$ fossil version
This is fossil version 2.24 [5fe7dddc6f] 2024-04-30 14:34:12 UTC

dougf@Lenovo:~/asl_clone/trunk$ fossil commit
Pull from ssh://dougf@drop1.judysplants.me//home/dougf/cs/asl.fossil
Enter passphrase for key '/c/Users/dougf/.ssh/id_ed25519':
Round-trips: 1   Artifacts sent: 0  received: 0
Pull done, wire bytes sent: 432  received: 416  remote: drop1.judysplants.me
nothing has changed; use --allow-empty to override

dougf@Lenovo:~/asl_clone/trunk$ ssh dougf@drop1.judysplants.me
Welcome to Ubuntu 24.10 (GNU/Linux 6.11.0-25-generic x86_64)

A wild guess....

It seems that you use wsl on windows.. Does the fossil that you use is the wsl fossil binary as well ?

(I don't know if it's possible to call native windows fossil from wsl, but if it's the case, this could be your problem.)

Native windows fossil will call native ssh which will fail to communicate with your ssh-agent or any keychain service etc.. that run inside wsl.

The fossil I use on Windows runs in cmd.exe and under cygwin. wsl is not involved.

From a Cygwin Bash prompt, what does a "type -a ssh" command print?

dougf@Lenovo:~$ type -a ssh
ssh is /cygdrive/c/WINDOWS/System32/OpenSSH/ssh
ssh is /cygdrive/c/WINDOWS/System32/OpenSSH/ssh
ssh is /cygdrive/c/Program Files/Git/usr/bin/ssh
dougf@Lenovo:~$ which ssh
/cygdrive/c/WINDOWS/System32/OpenSSH/ssh

I was expecting that you had a copy of Cygwin SSH interfering, resulting in two different .ssh config directories, but we see that this is not the case.

The only other thing I can think of is that you have an SSH agent of some type keeping the key unlocked in the first instance and not in the second, but lacking information as to how you accomplished that, I can't advise how to translate it to the Fossil case.

That's the general answer, though: configure an SSH agent. Keeping keys ready to reuse after being unlocked once is what they do.

Personally, I use 1Password for this,¹ but it is far from the only option.

1. ^{^} …on macOS, but the solution is portable

Ok.. so probably something similar, but with cygwin. You need to make sure fossil call the same ssh command as when you type it manually, and it needs to have access to the same magic that give access to your ssh keys. (ssh-agent or similar)

• What is the output of fossil set ssh-command
  (do you have something defined ?)

• If you do fossil --sshtrace pull, you should see what ssh command is used by fossil.

  • something like RUN ssh -e none -T -- <host> fossil test-http ...
  • What do you see ?
  • If you get something different ?
    • you can type the same command manually, but replace "fossil test-http ..." by something like "ls" or "uname"... to see if it ask you for a paraphrase.

Using the ui settings, ssh-command is not set.

Set up a user for scm on the VPS and restrict that user to only run fossil (with options, perhaps?) in the authorized_keys file similar to this description for rsync: https://gist.github.com/jyap808/8700714

No passphrase needed, and better security than having an unrestricted user.

I am prompted for the passphrase on fossil commit:

dougf@Lenovo:~/asl_clone/trunk$ fossil commit --sshtrace
Pull from ssh://dougf@drop1.judysplants.me//home/dougf/cs/asl.fossil
RUN ssh -e none -T -- "dougf@drop1.judysplants.me" "PATH=$HOME/bin:/usr/local/bin:/opt/homebrew/bin:$PATH" fossil test-http /home/dougf/cs/asl.fossil
Enter passphrase for key '/c/Users/dougf/.ssh/id_ed25519':
Got line: [Status: 200 OK]
Got line: [Cache-control: no-cache]
Got line: [X-Frame-Options: SAMEORIGIN]
Got line: [Content-Type: application/x-fossil]
Got line: [Content-Length: 586]
Got line: []
Reading 586 bytes with 1 on hand...  Got 586 bytes
Round-trips: 1   Artifacts sent: 0  received: 0
Pull done, wire bytes sent: 435  received: 715  remote: drop1.judysplants.me
nothing has changed; use --allow-empty to override

if I run just the ssh part of it, it doesn't prompt me for the passphrase:

ssh -e none -E sshf1.log -T -- "dougf@drop1.judysplants.me" "PATH=/home/dougf/bin:/usr/local/bin:/opt/homebrew/bin" /usr/bin/fossil test-http /home/dougf/cs/asl.fossil
OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2
debug1: Reading configuration data C:\\Users\\dougf/.ssh/config
debug1: Connecting to drop1.judysplants.me [209.38.129.250] port 22.
debug1: Connection established.
...

And I know fossil runs on the remote site from the log (it's not successful because an http session is not established):

...
debug1: Sending command: PATH=/home/dougf/bin:/usr/local/bin:/opt/homebrew/bin /usr/bin/fossil test-http /home/dougf/cs/asl.fossil
debug1: pledge: fork
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2248, received 2692 bytes, in 12.8 seconds
Bytes per second: sent 175.6, received 210.3
debug1: Exit status -1

From this I conclude that fossil using "RUN ssh ..." is the culprit. Is there perhaps authorization missing when using RUN that running ssh native has?

I cloned fossil and built it. When I tried ssh with that build, it did not ask me for my passphrase. The version that failed is "fossil version 2.26 [593ceca27d] 2024-12-17 12:38:33 UTC". So I used fossil bisect (compiling each version) to find the first failure. And none of them failed! Not even the version that failed before. Is there a way to tell what the options are on my failing version vs the working versions to understand the problem? I still have it.

So I used fossil bisect (compiling each version) to find the first failure. And none of them failed! Not even the version that failed before.

Were you careful to do a "make clean" (or, even better, "make distclean", followed by "./configure") between each build? It's very easy to get stale object files (from previous builds) if you don't, and that can lead to unexpected results such as that.

Stephan, I am building on Windows using Native Tools CLI and win/buildmsvc.bat. The bat file has a clean built in. I cannot find a ./configure to run, nor are there targets "clean" and "distclean" anywhere for make (or nmake). There is a configure file but windows won't run it. I am building fossil, remember...

I am building on Windows using Native Tools CLI

See https://fossil-scm.org/home/wiki?name=Release+Build+How-To, scrolling down to the part about Windows 32-bit or Windows 64-bit, as appropriate for your situation. The key command is:

nmake /f Makefile.msc FOSSIL_ENABLE_SSL=1 OPTIMIZATIONS=4 clean fossil.exe

Or build64 or built32, which are thin wrappers around the above. I'm not sure where buildmsvc.bat came from and I have never used it. I do not know whether or not it works.

From this I conclude that fossil using "RUN ssh ..." is the culprit. Is there perhaps authorization missing when using RUN that running ssh native has?

fossil only execute the "native" ssh, as when you execute it on terminal. Perhaps in your case, when ssh is executed from fossil it cannot authenticate to the process holding the keys. May be a mix of Cygwin environment with native windows environment ? I have no clue.

• As I saw in your previous post, it seems ssh.exe is the native windows ssh since "type -a" return the one from c:windowssystem32...

  • What fossil executable do you use ? Cygwin package ? The one from fossil website download page ? Did you compile it yourself (under Cygwin or using msvc or something else ?)
  • What do you use for authentification agent for your keys ? native windows ssh-agent service, or something else ?

• Do you have same issue if you use fossil directly from PowerShell or Cmd ?
  (If calling ssh directly from same shell works without asking for the paraphrase)

When I will have time, I will experiment this on windows, I didn't use ssh keys authentifications on windows since a while. May be I was using plink with pageant (from Putty) at the time, before Microsoft package OpenSSH for windows.

When I will have time, I will experiment this on windows ...

Follow-up...

I just tried on a windows 11 (64bit) VM, in PowerShell and under Cygwin64 using built-in windows ssh and ssh-agent, I couldn't reproduce the problem.

I tried with release 2.26 downloaded from fossil website (windows64) and the outdated fossil installed using the Cygwin setup (from 5 years ago) and both works.

For the ssh key authentifications, I followed the procedure from the User key generation section from Microsoft website. It explain how to permanently enable the ssh-agent service add the key permanently.