diff --git a/scripts/ssh/ssh-auth.php b/scripts/ssh/ssh-auth.php
index b25905668b..3c4f3f2b33 100755
--- a/scripts/ssh/ssh-auth.php
+++ b/scripts/ssh/ssh-auth.php
@@ -1,87 +1,122 @@
 #!/usr/bin/env php
 <?php
 
 $root = dirname(dirname(dirname(__FILE__)));
-require_once $root.'/scripts/__init_script__.php';
+require_once $root.'/scripts/init/init-script.php';
+
+// NOTE: We are caching a datastructure rather than the flat key file because
+// the path on disk to "ssh-exec" is arbitrarily mutable at runtime. See T12397.
 
 $cache = PhabricatorCaches::getMutableCache();
-$authfile_key = PhabricatorAuthSSHKeyQuery::AUTHFILE_CACHEKEY;
-$authfile = $cache->getKey($authfile_key);
+$authstruct_key = PhabricatorAuthSSHKeyQuery::AUTHSTRUCT_CACHEKEY;
+$authstruct_raw = $cache->getKey($authstruct_key);
+
+$authstruct = null;
+
+if (strlen($authstruct_raw)) {
+  try {
+    $authstruct = phutil_json_decode($authstruct_raw);
+  } catch (Exception $ex) {
+    // Ignore any issues with the cached data; we'll just rebuild the
+    // structure below.
+  }
+}
 
-if ($authfile === null) {
+if ($authstruct === null) {
   $keys = id(new PhabricatorAuthSSHKeyQuery())
     ->setViewer(PhabricatorUser::getOmnipotentUser())
     ->withIsActive(true)
     ->execute();
 
   if (!$keys) {
     echo pht('No keys found.')."\n";
     exit(1);
   }
 
-  $bin = $root.'/bin/ssh-exec';
+  $key_list = array();
   foreach ($keys as $ssh_key) {
     $key_argv = array();
     $object = $ssh_key->getObject();
     if ($object instanceof PhabricatorUser) {
       $key_argv[] = '--phabricator-ssh-user';
       $key_argv[] = $object->getUsername();
     } else if ($object instanceof AlmanacDevice) {
       if (!$ssh_key->getIsTrusted()) {
         // If this key is not a trusted device key, don't allow SSH
         // authentication.
         continue;
       }
       $key_argv[] = '--phabricator-ssh-device';
       $key_argv[] = $object->getName();
     } else {
       // We don't know what sort of key this is; don't permit SSH auth.
       continue;
     }
 
     $key_argv[] = '--phabricator-ssh-key';
     $key_argv[] = $ssh_key->getID();
 
-    $cmd = csprintf('%s %Ls', $bin, $key_argv);
-
-    $instance = PhabricatorEnv::getEnvConfig('cluster.instance');
-    if (strlen($instance)) {
-      $cmd = csprintf('PHABRICATOR_INSTANCE=%s %C', $instance, $cmd);
-    }
-
-    // This is additional escaping for the SSH 'command="..."' string.
-    $cmd = addcslashes($cmd, '"\\');
-
     // Strip out newlines and other nonsense from the key type and key body.
-
     $type = $ssh_key->getKeyType();
     $type = preg_replace('@[\x00-\x20]+@', '', $type);
     if (!strlen($type)) {
       continue;
     }
 
     $key = $ssh_key->getKeyBody();
     $key = preg_replace('@[\x00-\x20]+@', '', $key);
     if (!strlen($key)) {
       continue;
     }
 
-    $options = array(
-      'command="'.$cmd.'"',
-      'no-port-forwarding',
-      'no-X11-forwarding',
-      'no-agent-forwarding',
-      'no-pty',
+    $key_list[] = array(
+      'argv' => $key_argv,
+      'type' => $type,
+      'key' => $key,
     );
-    $options = implode(',', $options);
-
-    $lines[] = $options.' '.$type.' '.$key."\n";
   }
 
-  $authfile = implode('', $lines);
+  $authstruct = array(
+    'keys' => $key_list,
+  );
+
+  $authstruct_raw = phutil_json_encode($authstruct);
   $ttl = phutil_units('24 hours in seconds');
-  $cache->setKey($authfile_key, $authfile, $ttl);
+  $cache->setKey($authstruct_key, $authstruct_raw, $ttl);
 }
 
+$bin = $root.'/bin/ssh-exec';
+$instance = PhabricatorEnv::getEnvConfig('cluster.instance');
+
+$lines = array();
+foreach ($authstruct['keys'] as $key_struct) {
+  $key_argv = $key_struct['argv'];
+  $key = $key_struct['key'];
+  $type = $key_struct['type'];
+
+  $cmd = csprintf('%s %Ls', $bin, $key_argv);
+
+  if (strlen($instance)) {
+    $cmd = csprintf('PHABRICATOR_INSTANCE=%s %C', $instance, $cmd);
+  }
+
+  // This is additional escaping for the SSH 'command="..."' string.
+  $cmd = addcslashes($cmd, '"\\');
+
+  $options = array(
+    'command="'.$cmd.'"',
+    'no-port-forwarding',
+    'no-X11-forwarding',
+    'no-agent-forwarding',
+    'no-pty',
+  );
+  $options = implode(',', $options);
+
+  $lines[] = $options.' '.$type.' '.$key."\n";
+}
+
+$authfile = implode('', $lines);
+
 echo $authfile;
+
 exit(0);
diff --git a/src/applications/auth/query/PhabricatorAuthSSHKeyQuery.php b/src/applications/auth/query/PhabricatorAuthSSHKeyQuery.php
index 77b666ea44..d8474085b2 100644
--- a/src/applications/auth/query/PhabricatorAuthSSHKeyQuery.php
+++ b/src/applications/auth/query/PhabricatorAuthSSHKeyQuery.php
@@ -1,138 +1,138 @@
 <?php
 
 final class PhabricatorAuthSSHKeyQuery
   extends PhabricatorCursorPagedPolicyAwareQuery {
 
-  const AUTHFILE_CACHEKEY = 'ssh.authfile';
+  const AUTHSTRUCT_CACHEKEY = 'ssh.authstruct';
 
   private $ids;
   private $phids;
   private $objectPHIDs;
   private $keys;
   private $isActive;
 
   public static function deleteSSHKeyCache() {
     $cache = PhabricatorCaches::getMutableCache();
-    $authfile_key = self::AUTHFILE_CACHEKEY;
+    $authfile_key = self::AUTHSTRUCT_CACHEKEY;
     $cache->deleteKey($authfile_key);
   }
 
   public function withIDs(array $ids) {
     $this->ids = $ids;
     return $this;
   }
 
   public function withPHIDs(array $phids) {
     $this->phids = $phids;
     return $this;
   }
 
   public function withObjectPHIDs(array $object_phids) {
     $this->objectPHIDs = $object_phids;
     return $this;
   }
 
   public function withKeys(array $keys) {
     assert_instances_of($keys, 'PhabricatorAuthSSHPublicKey');
     $this->keys = $keys;
     return $this;
   }
 
   public function withIsActive($active) {
     $this->isActive = $active;
     return $this;
   }
 
   public function newResultObject() {
     return new PhabricatorAuthSSHKey();
   }
 
   protected function loadPage() {
     return $this->loadStandardPage($this->newResultObject());
   }
 
   protected function willFilterPage(array $keys) {
     $object_phids = mpull($keys, 'getObjectPHID');
 
     $objects = id(new PhabricatorObjectQuery())
       ->setViewer($this->getViewer())
       ->setParentQuery($this)
       ->withPHIDs($object_phids)
       ->execute();
     $objects = mpull($objects, null, 'getPHID');
 
     foreach ($keys as $key => $ssh_key) {
       $object = idx($objects, $ssh_key->getObjectPHID());
 
       // We must have an object, and that object must be a valid object for
       // SSH keys.
       if (!$object || !($object instanceof PhabricatorSSHPublicKeyInterface)) {
         $this->didRejectResult($ssh_key);
         unset($keys[$key]);
         continue;
       }
 
       $ssh_key->attachObject($object);
     }
 
     return $keys;
   }
 
   protected function buildWhereClauseParts(AphrontDatabaseConnection $conn) {
     $where = parent::buildWhereClauseParts($conn);
 
     if ($this->ids !== null) {
       $where[] = qsprintf(
         $conn,
         'id IN (%Ld)',
         $this->ids);
     }
 
     if ($this->phids !== null) {
       $where[] = qsprintf(
         $conn,
         'phid IN (%Ls)',
         $this->phids);
     }
 
     if ($this->objectPHIDs !== null) {
       $where[] = qsprintf(
         $conn,
         'objectPHID IN (%Ls)',
         $this->objectPHIDs);
     }
 
     if ($this->keys !== null) {
       $sql = array();
       foreach ($this->keys as $key) {
         $sql[] = qsprintf(
           $conn,
           '(keyType = %s AND keyIndex = %s)',
           $key->getType(),
           $key->getHash());
       }
       $where[] = implode(' OR ', $sql);
     }
 
     if ($this->isActive !== null) {
       if ($this->isActive) {
         $where[] = qsprintf(
           $conn,
           'isActive = %d',
           1);
       } else {
         $where[] = qsprintf(
           $conn,
           'isActive IS NULL');
       }
     }
 
     return $where;
 
   }
 
   public function getQueryApplicationClass() {
     return 'PhabricatorAuthApplication';
   }
 
 }