Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Interests
See all
Community resources
Top groups
Explore all groups
Community resources

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Sign up for free Log in
Atlassian Community Hero Image Collage

On Windows GIT_SSH environment variable not respected

Dominic P
Dominic P May 25, 2018

After a recent update, SSH with SourceTree broke on me.

On my private repos I only allow modern, secure SSH ciphers. This used to work fine, but now I get a "No matching cipher found" error anytime I try to fetch or push. It looks like the official Windows Git comes bundled with an old or crippled OpenSSH client that doesn't support modern ciphers.

For command line usage, I was able to work around this by setting the GIT_SSH variable to point to my Cygwin SSH client. But, SourceTree doesn't seem to respect this setting and still tries to use the bundled SSH client.

Any ideas on how I can work around this?

Answer
Watch
Like creatorbri likes this

2 answers

1 accepted

0 votes
Answer accepted
Dominic P
Dominic P Jun 19, 2018

Someone on GitHub found a work around for this!

It turns out there is a hard-coded cipher list in Program Files\Git\etc\ssh\ssh_config. All you have to do is comment that line and everything works again.

I still don't know how it was working before the update, but at least it's working now. We can go ahead and close this.

Reply
0 votes
Mike Corsaro
Mike Corsaro Atlassian Team May 29, 2018

Hello! Could you make sure your PATH environment variable is set to the location of your SSH agent? Sourcetree uses that setting to find the SSH agent to use.

View More Comments
Dominic P
Dominic P May 29, 2018

Hi Mike, thanks for the helpful response. I tweaked the PATH variable so the Cygwin bin directory came before the Git directory, but unfortunately, even after a restart, I'm seeing the same behavior from SourceTree.

From Windows cmd, I can type in: `ssh git@myserver.com` and connect with no problem. So, the environment variables are correct.

You mentioned the SSH agent. I don't think this is an issue with the agent so much as the SSH binary itself. I'm not sure what ssh client SourceTree is trying to use, but it doesn't support modern ciphers like chacha20-poly1305@openssh.com or aes256-gcm@openssh.com

Like
Mike Corsaro
Mike Corsaro Atlassian Team May 29, 2018

Are you using Embedded Git, or System Git? And are you using OpenSSH, or Putty? Additionally, I would try replacing "ssh-agent.exe" in the current git install with your new one.

Like
Dominic P
Dominic P May 29, 2018

Hi Mike, I've tried it with both embedded and system Git, and I get the same results with both. I'm using OpenSSH not Putty.

I replaced the ssh-agent.exe in the Git install, and nothing changed. Then, I tried replacing the ssh.exe in the Git install and I got a new error about cygwin heap mismatch. So, I have at least confirmed that SoureTree is using the ssh binary included in the Git install and not the one that comes first in the PATH environment variable.

It would be nice if SourceTree respected the GIT_SSH environment variable because I could just point it to the binary I want to use without messing with my PATH. In my case, I actually need the Git bin to come before my cygwin bin for interoperability with other apps (namely npm which has some kind of vendetta against cygwin).

Like
Mike Corsaro
Mike Corsaro Atlassian Team May 29, 2018

We don't often see users using a custom SSH agent, but I'll file a ticket to add support. I'd also recommend filing a ticket on the Git for Windows repo to ask and see if they're willing to upgrade the current openssh version.

Like
Dominic P
Dominic P May 29, 2018

Ok, now I'm really confused. I starting gathering version information to do what you suggested, and I discovered that the bundled OpenSSH with Git is actually newer than my cygwin version and specifically lists support (via "ssh -Q cipher") for all of the ciphers my server is offering.

But, even though it says it supports those ciphers, I get the same error about no matching cipher found if I try to use it directly from the command line.

I tested it against some other SSH servers, and it seemed to negotiate a cipher without issue. Any ideas at this point? It's almost starting to sounds like an issue with my server although it was working perfectly before the update.

Like
Dominic P
Dominic P Jun 13, 2018 • edited

I filed an issue for this on the Git for Windows repo here: https://github.com/git-for-windows/git/issues/1723

Like
Reply

Suggest an answer

Log in or Sign up to answer
Sourcetree
Sourcetree
TAGS
Community showcase
Andy Heinzer
Andy Heinzer
Published in Sourcetree

Sourcetree for Windows - CVE-2019-11582 - Remote Code Execution vulnerability

A vulnerability has been published today in regards to Sourcetree for Windows.  The goal of this article is to give you a summary of information we have gathered from Atlassian Community as a st...

4,999 views 0 12
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you