git does not ask for password when trying to clone repo with submodule

[StarFire75]

• [x] I was not able to find an open or closed issue matching what I'm seeing

This issue is somewhat related to the issues #1403 and #1191

Setup

• Which version of Git for Windows are you using? Is it 32-bit or 64-bit? 64Bit

$ git --version --build-options

git version 2.16.3.windows.1
cpu: x86_64
built from commit: 5d726e05e4c0ff9e11374e64e21d8300b0291c6d
sizeof-long: 4

• Which version of Windows are you running? Vista, 7, 8, 10? Is it 32-bit or 64-bit?

Windows 7 Professional, all patches applied

(I am currently not able to get at that machine)

• What options did you set as part of the installation? Or did you choose the defaults?

# One of the following:
> type "C:\Program Files\Git\etc\install-options.txt"
> type "C:\Program Files (x86)\Git\etc\install-options.txt"
> type "%USERPROFILE%\AppData\Local\Programs\Git\etc\install-options.txt"
$ cat /etc/install-options.txt

Editor Option: VIM
Path Option: Cmd
Plink Path: C:\Program Files\PuTTY\plink.exe
SSH Option: Plink
CURL Option: WinSSL
CRLF Option: CRLFCommitAsIs
Bash Terminal Option: ConHost
Performance Tweaks FSCache: Enabled
Use Credential Manager: Disabled
Enable Symlinks: Disabled

• Any other interesting things about your environment that might be related to the issue you're seeing?

We can only use username/password to authenticate to the machine

Details

• Which terminal/shell are you running Git from? e.g Bash/CMD/PowerShell/other

CMD

• What commands did you run to trigger this issue? If you can provide a Minimal, Complete, and Verifiable example this will help us understand the issue.

We clone our repository (from our internat git server) like this:

git clone --recurse-submodules ssh://<username>@<git-server>/repositories/<repository>

• What did you expect to occur after running these commands?

-- Ask for password for user -- Retrieve repo, resolve deltas and checkout the files -- Get submodules --- Ask for password for user --- get repo

• What actually happened instead?

The password is asked, the main repo is retrieved and the files are checked out, but for the submodules the password is not asked and (therefore) a permission denied error is thrown. The prompt for asking the password is shown, but it is never asked.

We cannot change to another terminal on that machine nor can we use key-based authentication, because that is a general machine where different users log in.

[shiftkey]

The password is asked, the main repo is retrieved and the files are checked out, but for the submodules the password is not asked and (therefore) a permission denied error is thrown.

@StarFire75 are these problem submodules configured with HTTPS, SSH or git:// URLs? These details are stored in the .gitmodules file at the root of the repository, and will help with understanding your setup better?

[StarFire75]

They are relative to the main repo. The content of .gitmodules looks like:

[submodule "_dev/src/drivers"]
    path = _dev/src/drivers
    url = ../drivers.git
[submodule "_dev/src/MeasCtrl/Device/Driver/CAA/Wenzel"]
    path = _dev/src/MeasCtrl/Device/Driver/CAA/Wenzel
    url = ../CAA.git

[StarFire75]

Re-opened due to clicking the wrong button before

[dscho]

Could you set the environment variable GIT_TRACE=1 and re-run the clone, then paste the full output (with sensitive information censored out)?

[StarFire75]

Sorry for the delay, the machine was in use the whole day.

Here it is:

C:\Projects\test>git clone --recurse-submodules ssh://ATs@git.metromec.ch/repositories/quartis.git QUARTIS
17:31:49.218267 git.c:344               trace: built-in: git 'clone' '--recurse-submodules' 'ssh://ATs@git.metromec.ch/repositories/quartis.git' 'QUARTIS'
Cloning into 'QUARTIS'...
17:31:49.358667 run-command.c:627       trace: run_command: 'ssh' 'ATs@git.metromec.ch' 'git-upload-pack '\''/repositories/quartis.git'\'''
warning: failed to restrict file handles (1450)

ATs@git.metromec.ch's password:
17:31:58.125882 run-command.c:627       trace: run_command: 'index-pack' '--stdin' '-v' '--fix-thin' '--keep=fetch-pack 308 on TZ1-RS-PH10' '--check-self-contained-and-connected'
17:31:58.890284 git.c:344               trace: built-in: git 'index-pack' '--stdin' '-v' '--fix-thin' '--keep=fetch-pack 308 on TZ1-RS-PH10' '--check-self-contained-and-connected'
remote: Zähle Objekte: 648373, Fertig.
remote: Komprimiere Objekte: 100% (105266/105266), Fertig.
remote: Total 648373 (delta 548859), reused 639445 (delta 541178)
Receiving objects: 100% (648373/648373), 942.27 MiB | 30.53 MiB/s, done.
Resolving deltas: 100% (548859/548859), done.
17:34:02.161700 run-command.c:627       trace: run_command: 'rev-list' '--objects' '--stdin' '--not' '--all' '--quiet' ' --progress=Checking connectivity'
17:34:02.192900 git.c:344               trace: built-in: git 'rev-list' '--objects' '--stdin' '--not' '--all' '--quiet' '--progress=Checking connectivity'
Checking out files: 100% (13569/13569), done.
17:35:52.407094 run-command.c:627       trace: run_command: 'submodule' 'update' '--init' '--recursive' '--progress'
17:35:52.422694 git.c:576               trace: exec: 'git-submodule' 'update' '--init' '--recursive' '--progress'
17:35:52.968695 run-command.c:627       trace: run_command: 'git-submodule' 'update' '--init' '--recursive' '--progress'

warning: failed to restrict file handles (1450)

17:35:58.038704 git.c:576               trace: exec: 'git-sh-i18n--envsubst' '--variables' 'usage: $dashless $USAGE'
17:35:58.038704 run-command.c:627       trace: run_command: 'git-sh-i18n--envsubst' '--variables' 'usage: $dashless $USAGE'
warning: failed to restrict file handles (1450)

17:35:59.505106 git.c:576               trace: exec: 'git-sh-i18n--envsubst' 'usage: $dashless $USAGE'
17:35:59.505106 run-command.c:627       trace: run_command: 'git-sh-i18n--envsubst' 'usage: $dashless $USAGE'
warning: failed to restrict file handles (1450)

17:36:00.082307 git.c:344               trace: built-in: git 'rev-parse' '--git-dir'
17:36:00.238308 git.c:344               trace: built-in: git 'rev-parse' '--git-path' 'objects'
17:36:00.331908 git.c:344               trace: built-in: git 'rev-parse' '-q' '--git-dir'
17:36:00.409908 git.c:344               trace: built-in: git 'rev-parse' '--show-prefix'
17:36:00.441108 git.c:344               trace: built-in: git 'rev-parse' '--show-toplevel'
17:36:00.503508 git.c:344               trace: built-in: git 'submodule--helper' 'init'
Submodule '_dev/src/MeasCtrl/Device/Driver/CAA/Wenzel' (ssh://ATs@git.metromec.ch/repositories/CAA.git) registered for path '_dev/src/MeasCtrl/Device/Driver/CAA/Wenzel'
Submodule '_dev/src/drivers' (ssh://ATs@git.metromec.ch/repositories/drivers.git) registered for path '_dev/src/drivers'

17:36:01.065109 git.c:344               trace: built-in: git 'submodule--helper' 'update-clone' '--progress'
17:36:01.065109 run-command.c:1470      run_processes_parallel: preparing to run up to 1 tasks
17:36:01.065109 run-command.c:627       trace: run_command: 'submodule--helper' 'clone' '--progress' '--path' '_dev/src/MeasCtrl/Device/Driver/CAA/Wenzel' '--name' '_dev/src/MeasCtrl/Device/Driver/CAA/Wenzel' '--url' 'ssh://ATs@git.metromec.ch/repositories/CAA.git'
17:36:01.096309 git.c:344               trace: built-in: git 'submodule--helper' 'clone' '--progress' '--path' '_dev/src/MeasCtrl/Device/Driver/CAA/Wenzel' '--name' '_dev/src/MeasCtrl/Device/Driver/CAA/Wenzel' '--url' 'ssh://ATs@git.metromec.ch/repositories/CAA.git'
17:36:01.096309 run-command.c:627       trace: run_command: 'clone' '--no-checkout' '--progress' '--separate-git-dir' 'C:/Projects/test/QUARTIS/.git/modules/_dev/src/MeasCtrl/Device/Driver/CAA/Wenzel' 'ssh://ATs@git.metromec.ch/repositories/CAA.git' 'C:/Projects/test/QUARTIS/_dev/src/MeasCtrl/Device/Driver/CAA/Wenzel'
17:36:01.205509 git.c:344               trace: built-in: git 'clone' '--no-checkout' '--progress' '--separate-git-dir' 'C:/Projects/test/QUARTIS/.git/modules/_dev/src/MeasCtrl/Device/Driver/CAA/Wenzel' 'ssh://ATs@git.metromec.ch/repositories/CAA.git' 'C:/Projects/test/QUARTIS/_dev/src/MeasCtrl/Device/Driver/CAA/Wenzel'
17:36:02.250711 run-command.c:627       trace: run_command: 'ssh' 'ATs@git.metromec.ch' 'git-upload-pack '\''/repositories/CAA.git'\'''
Cloning into 'C:/Projects/test/QUARTIS/_dev/src/MeasCtrl/Device/Driver/CAA/Wenzel'...
Permission denied, please try again.
Permission denied, please try again.
ATs@git.metromec.ch: Permission denied (publickey,password).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
fatal: clone of 'ssh://ATs@git.metromec.ch/repositories/CAA.git' into submodule path 'C:/Projects/test/QUARTIS/_dev/src/MeasCtrl/Device/Driver/CAA/Wenzel' failed
Failed to clone '_dev/src/MeasCtrl/Device/Driver/CAA/Wenzel'. Retry scheduled
17:36:02.640712 run-command.c:627       trace: run_command: 'submodule--helper' 'clone' '--progress' '--path' '_dev/src/drivers' '--name' '_dev/src/drivers' '--url' 'ssh://ATs@git.metromec.ch/repositories/drivers.git'
17:36:02.656312 git.c:344               trace: built-in: git 'submodule--helper' 'clone' '--progress' '--path' '_dev/src/drivers' '--name' '_dev/src/drivers' '--url' 'ssh://ATs@git.metromec.ch/repositories/drivers.git'
17:36:02.656312 run-command.c:627       trace: run_command: 'clone' '--no-checkout' '--progress' '--separate-git-dir' 'C:/Projects/test/QUARTIS/.git/modules/_dev/src/drivers' 'ssh://ATs@git.metromec.ch/repositories/drivers.git' 'C:/Projects/test/QUARTIS/_dev/src/drivers'
17:36:02.671912 git.c:344               trace: built-in: git 'clone' '--no-checkout' '--progress' '--separate-git-dir' 'C:/Projects/test/QUARTIS/.git/modules/_dev/src/drivers' 'ssh://ATs@git.metromec.ch/repositories/drivers.git' 'C:/Projects/test/QUARTIS/_dev/src/drivers'
17:36:02.827912 run-command.c:627       trace: run_command: 'ssh' 'ATs@git.metromec.ch' 'git-upload-pack '\''/repositories/drivers.git'\'''
Cloning into 'C:/Projects/test/QUARTIS/_dev/src/drivers'...
Permission denied, please try again.
Permission denied, please try again.
ATs@git.metromec.ch: Permission denied (publickey,password).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
fatal: clone of 'ssh://ATs@git.metromec.ch/repositories/drivers.git' into submodule path 'C:/Projects/test/QUARTIS/_dev/src/drivers' failed
Failed to clone '_dev/src/drivers'. Retry scheduled
17:36:03.108713 run-command.c:627       trace: run_command: 'submodule--helper' 'clone' '--progress' '--path' '_dev/src/MeasCtrl/Device/Driver/CAA/Wenzel' '--name' '_dev/src/MeasCtrl/Device/Driver/CAA/Wenzel' '--url' 'ssh://ATs@git.metromec.ch/repositories/CAA.git'
17:36:03.124313 git.c:344               trace: built-in: git 'submodule--helper' 'clone' '--progress' '--path' '_dev/src/MeasCtrl/Device/Driver/CAA/Wenzel' '--name' '_dev/src/MeasCtrl/Device/Driver/CAA/Wenzel' '--url' 'ssh://ATs@git.metromec.ch/repositories/CAA.git'
17:36:03.124313 run-command.c:627       trace: run_command: 'clone' '--no-checkout' '--progress' '--separate-git-dir' 'C:/Projects/test/QUARTIS/.git/modules/_dev/src/MeasCtrl/Device/Driver/CAA/Wenzel' 'ssh://ATs@git.metromec.ch/repositories/CAA.git' 'C:/Projects/test/QUARTIS/_dev/src/MeasCtrl/Device/Driver/CAA/Wenzel'
17:36:03.139913 git.c:344               trace: built-in: git 'clone' '--no-checkout' '--progress' '--separate-git-dir' 'C:/Projects/test/QUARTIS/.git/modules/_dev/src/MeasCtrl/Device/Driver/CAA/Wenzel' 'ssh://ATs@git.metromec.ch/repositories/CAA.git' 'C:/Projects/test/QUARTIS/_dev/src/MeasCtrl/Device/Driver/CAA/Wenzel'
17:36:03.389513 run-command.c:627       trace: run_command: 'ssh' 'ATs@git.metromec.ch' 'git-upload-pack '\''/repositories/CAA.git'\'''
Cloning into 'C:/Projects/test/QUARTIS/_dev/src/MeasCtrl/Device/Driver/CAA/Wenzel'...
Permission denied, please try again.
Permission denied, please try again.
ATs@git.metromec.ch: Permission denied (publickey,password).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
fatal: clone of 'ssh://ATs@git.metromec.ch/repositories/CAA.git' into submodule path 'C:/Projects/test/QUARTIS/_dev/src/MeasCtrl/Device/Driver/CAA/Wenzel' failed
Failed to clone '_dev/src/MeasCtrl/Device/Driver/CAA/Wenzel' a second time, aborting
17:36:03.841914 run-command.c:1502      run_processes_parallel: done

Warning: Your console font probably doesn't support Unicode. If you experience strange characters in the output, conside
r switching to a TrueType font such as Consolas!

C:\Projects\test>

Before someone asks: Yes, I have the permission. TortoiseGit asks me three times for my password if I use it for cloning.

[dscho]

@StarFire75 thanks for testing this.

Your log confirms that ssh is called with the correct parameters, but that it is probably unable to access /dev/tty to query the credentials interactively.

Two things you could do to clarify further: 1) set the environment variable DISPLAY to something non-empty (and ensure that SSH_ASKPASS is defined in Git Bash) and run again (this should bring up a GUI prompt), and 2) set the environment variable GIT_SSH_COMMAND=ssh -v -v -v -v (note: the log will be really huge, and I don't ask you to paste it here, rather, try to see whether you find some mention of /dev/tty or something else about a failure to access the terminal or the tty).

My hunch is that somewhere along the lines, the connection to the MSYS2 console gets lost, but I have no easy way to verify this as of yet.

[StarFire75]

1) I did so. It didn't work, because it tried to open /usr/bin/..., but this does not work, because I am on a Windows shell (not the git bash, on cmd.exe). I set then SSH_ASKPASS in cmd.exe to the correct path, but it could not execute that either.

2) I set the GIT_SSH_COMMAND to the given value and among that huge output I found:

debug1: read_passphrase: can't open /dev/tty: No such device or address
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
ATs@git.metromec.ch: Permission denied (publickey,password).
fatal: Could not read from remote repository.

Thank you for your help!

[dscho]

read_passphrase: can't open /dev/tty: No such device or address

Yep, that's the problem all right.

Now, the question is: where does /dev/tty get lost? And the real question is: how do I find the time to debug this?

The really funny part is that you say you are in a CMD window, so /dev/tty should be always there... Hmm.

[StarFire75]

Is there anything I can help with?

[srlowe]

Confirm same problem here.

[srlowe]

BTW - should this still be labelled unclear? Anything we can do to clarify?

[dscho]

should this still be labelled unclear?

Yep. Because it is still unclear where /dev/tty gets lost.

Anything we can do to clarify?

If you have time and skills to debug, yes.

[nathanhi]

Interestingly I stumbled across this issue whilst using Git LFS, which shows exactly the same behaviour when SSH authentication is done to retrieve a token for HTTPS via SSH.

Setting the DISPLAY variable as well as the SSH_ASKPASS & GIT_ASKPASS environment variables to the correct Win32-style path forces the GUI prompt to be shown as expected:

https://github.com/git-lfs/git-lfs/issues/1843#issuecomment-485886409

In Git LFS it seemed to help to only redirect stdout instead of stdout&stderr to avoid this issue. Perhaps it's the redirection that causes msys2(?) to lose /dev/tty?

[mcanyucel]

I am just trying to push a simple repo with lfs to github and it still fails in the same manner in windows 10, both in terminal (powershell) and git bash:

$ git push -u origin master
Enter passphrase for key '/c/Users/tpalh/.ssh/id_ed25519':
batch request: git@github.com: Permission denied (publickey).: exit status 255
error: failed to push some refs to 'github.com:some-owner/git-lfs-test.git'

There is a bried moment where it looks like it is uploading (Uploading LFS objects: 0% (0/1), 0 B | 0 B/s), but immediately turns to error above.

The ssh key works on repos with no lfs support and the lfs lockdown is disabled. I have not seen a reply or response that claims to solve the issue. Is there any workaround except using https? I am not in favor of using WSL just for pushing lfs repos :/

[dscho]

Okay, a workaround that should work is to set the environment variables SSH_ASKPASS=C:/git-sdk-64/mingw64/bin/git-askpass.exe and DISPLAY=pretend. This should be done in Git Bash already, though...

[dscho]

An even better workaround would be to use ssh-agent.

FWIW I tried to debug this over the weekend, and it would appear as if the connection to /dev/tty (which is a purely MSYS construct, visible only to MSYS programs like Bash and OpenSSH, but not to Git) is lost when spawning the (non-MSYS) Git process. When the MSYS2 runtime (which provides the POSIX emulation for OpenSSH) tries to find it, it falls back to looking at stdin, stdout and stderr. If any of these are connected to the interactive Console, /dev/tty can be found. If none of them is connected, /dev/tty cannot be found, and if that is the case, it is impossible for OpenSSH to query the password interactively via the Console.

Now, when you update submodules recursively, that is done in parallel. That's crucial because that means that even stderr is redirected to a pipe. That's why you cannot get that interactive prompt.

To be quite honest, I do not really know what to do about this. All options (apart from the workarounds I provided above) seem to have serious drawbacks. The best would be to find a way for the MSYS2 runtime to get access to the interactive Console, of course, but that might require Git itself to become an MSYS program (which would come with a severe performance penalty).

[dscho]

This issue might be totally moot soon, anyway, as there is some effort under way to turn git submodule into a built-in (I am rather certain that the problems are caused by git submodule being a shell script).

[AlpyneDreams]

This issue might be totally moot soon, anyway, as there is some effort under way to turn git submodule into a built-in (I am rather certain that the problems are caused by git submodule being a shell script).

Even if git submodule becomes a builtin, the same issue still occurs for Git LFS (git-lfs/git-lfs#4909), who don't yet intend to work around it.

I haven't been able to get the start-ssh-agent workaround to work consistently, but it has once or twice. Perhaps the SSH_ASKPASS/DISPLAY workaround should be applied by Git in for such edge cases in CMD somehow, considering it's the default for Git Bash?

[aw2003]

I've also got this problem: I've tried the SSH_ASKPASS / DISPLAY workaround (2.39.1.windows.1) and it doesn't appear to have helped - I've checked environment vars and all appears to line up, in both git bash and CMD.

[ingenarel]

had the same issue. i'm using windows 10, 64 bit. downloaded git using scoop, and then realized that git submodules weren't working properly like they did on linux. this workaround does seems to fix it.

but i see that for some people, a gui pops up. however for me, cloning and other stuff doesn't pop out a gui, it just askes the password in the terminal like it usually does in linux. however, the submodule does pop out a gui.

[dscho]

Could you please test with Git for Windows v2.47.0-rc0? It comes with a new MSYS2 runtime version that I hope fixes this.

[aw2003]

I use Git via GitExtensions, and I can report everything appears to be working WRT submodules for me at this point. Locally I'm now using 2.46.0 on windows, so I guess the use-cases I have have been fixed before 2.47.0...

[dscho]

I use Git via GitExtensions, and I can report everything appears to be working WRT submodules for me at this point.

Great!

Locally I'm now using 2.46.0 on windows, so I guess the use-cases I have have been fixed before 2.47.0...

For completeness, could I ask you to test with v2.47.0-rc0 (to make sure that this does not regress again, as we have a pretty big MSYS2 runtime update in that version)?

[dscho]

I'll just go ahead and assume that it works with v2.47.0.