fix: handle non-passphrase SSH prompts in askpass script

[vinokurig]

What does this PR do?

Add early exit for SSH prompts that aren't requesting passphrase input. This prevents the askpass script from attempting to provide a passphrase for other SSH prompts like host key verification.

What issues does this PR fix or reference?

fixes eclipse-che/che#23874

Is it tested? How?

1. Apply a DevWorkspace with a private git repository e.g.

apiVersion: workspace.devfile.io/v1alpha2
kind: DevWorkspace
metadata:
  name: private
spec:
  started: true
  template:
    components:
      - container:
          env:
            - name: HOST_USERS
              value: 'true'
          image: 'quay.io/devfile/universal-developer-image:ubi9-latest'
          sourceMapping: /projects
        name: universal-developer-image
    projects:
      - git:
          remotes:
            origin: 'https://github.com/vinokurig/private.git'
        name: private

2. Check the project-clone container logs and see no error messages.

PR Checklist

• E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
  • v8-devworkspace-operator-e2e: DevWorkspace e2e test
  • v8-che-happy-path: Happy path for verification integration with Che

Summary by CodeRabbit

• Bug Fixes
  • Improved SSH askpass handling to respond only to key passphrase prompts (e.g., “Enter passphrase for key …”).
  • Non-passphrase prompts (such as username/password requests) are now ignored to prevent incorrect responses.

[openshift-ci]

Hi @vinokurig. Thanks for your PR.

I'm waiting for a devfile member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9722a329-b6d7-4ca8-90ca-bd83a3987c39

📥 Commits

Reviewing files that changed from the base of the PR and between 09069d1 and d4e3057.

📒 Files selected for processing (1)

• pkg/provision/workspace/ssh-askpass.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/provision/workspace/ssh-askpass.sh

---

📝 Walkthrough

Walkthrough

ssh-askpass.sh now checks its first prompt argument and only handles Enter passphrase for key ... requests. Other prompt types exit immediately with status 0.

Changes

ssh-askpass prompt filtering

Layer / File(s)	Summary
Prompt-type guard pkg/provision/workspace/ssh-askpass.sh	Adds a conditional check on the first argument; non-matching prompts exit silently with status 0, so the helper does not respond to HTTPS credential prompts.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Poem

🐰 I sniff the prompt and give a hop,
Only key passphrases get my stop.
HTTPS calls? I fade away,
Quiet as moss at the end of day.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly matches the main change: the askpass script now ignores non-passphrase SSH prompts.
Linked Issues check	✅ Passed	The change addresses #23874 by preventing askpass from handling non-passphrase prompts, removing the SSH noise during HTTPS workspace start.
Out of Scope Changes check	✅ Passed	Only the askpass prompt handling was adjusted, with no unrelated code changes visible.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[tolusha]

Hi! I'm che-ai-assistant — I help with your pull requests.

Available commands:

• /che-ai-assistant generate-che-doc — Generate a documentation PR based on this PR's changes
• /che-ai-assistant ok-pr-review — Run a comprehensive PR review (summary, code review, deep review, impact analysis)
• /che-ai-assistant help — Show this help message

[rohanKanojia]

/che-ai-assistant ok-pr-review

Review is complete. Please check the review comments below.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/provision/workspace/ssh-askpass.sh`:
- Around line 3-5: The askpass guard in ssh-askpass.sh is using a bash-only
conditional even though the script is declared with a POSIX shell shebang.
Update the prompt check in the top-level guard to use POSIX-compatible syntax
such as a case statement, and keep the behavior in the script’s early-exit path
the same so only prompts matching the passphrase prefix continue while all other
prompts exit cleanly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 340019fc-3154-459d-b6e7-ea31c75e11ea

📥 Commits

Reviewing files that changed from the base of the PR and between af782ad and a31023f.

📒 Files selected for processing (1)

• pkg/provision/workspace/ssh-askpass.sh

[tolusha]

Comprehensive Review Summary

I've completed a multi-stage review (summary, standard, deep, and impact analysis) of this PR. Here's the consolidated feedback:

Critical Issue - Must Fix Before Merge

POSIX Shell Compatibility (line 3): The script declares #!/bin/sh but uses [[ ]] syntax, which is bash-specific. On workspace containers using Alpine, BusyBox, or other images where /bin/sh is dash/ash, this will produce a syntax error and break all SSH operations.

Fix: Replace with POSIX case statement:

case "$1" in
  "Enter passphrase for key '"*) ;;
  *) exit 0 ;;
esac

This issue was also flagged by CodeRabbit/ShellCheck SC3010.

Suggestions (Non-Blocking)

1. Add test coverage: Consider adding a Go test to validate the embedded script is valid POSIX shell (sh -n syntax check)
2. Observability: The new guard exits silently for non-passphrase prompts. Consider adding optional debug logging (e.g., echo "DEBUG: ignoring non-passphrase prompt: $1" >&2 behind an env var) to aid production debugging
3. Shell best practices: While not introduced by this PR, consider quoting $PASSPHRASE_FILE_PATH in the existing file check to follow POSIX best practices

Does This PR Solve the Issue?

✅ Yes - This correctly fixes eclipse-che/che#23874 by preventing the askpass script from responding to HTTPS credential prompts with misleading SSH passphrase errors.

Positive Feedback

• ✅ Minimal, well-scoped fix
• ✅ Clear comment explaining the intent
• ✅ PR description includes reproduction steps and links to upstream issue
• ✅ Pattern match is specific enough to avoid false positives

Review Verdict

🔄 Request Changes - The POSIX shell compatibility issue must be fixed (straightforward case statement replacement). Everything else looks good.

---

Review generated by Claude Code with ok-pr-review skills: /ok-pr-review:learn-repo, /ok-pr-review:summary, /ok-pr-review:review, /ok-pr-review:deep-review, /ok-pr-review:impact

[rohanKanojia]

I tested the PR with abovementioned steps and can confirm it's working as expected:

project-clone logs with fix (askpass no longer interferes):

Logs for container: project-clone
2026/06/25 06:24:49 Using temporary directory /projects/project-clone-3314971623
2026/06/25 06:24:49 Read DevWorkspace at /devworkspace-metadata/flattened.devworkspace.yaml
2026/06/25 06:24:49 Processing project private
2026/06/25 06:24:49 Cloning project private to /projects/project-clone-3314971623/private
Cloning into '/projects/project-clone-3314971623/private'...
remote: Repository not found.
fatal: Authentication failed for 'https://github.com/vinokurig/private.git/'
2026/06/25 06:24:50 Failed git clone for project private (attempt 1/4): failed to git clone from https://github.com/vinokurig/private.git: exit status 128
2026/06/25 06:24:50 Retrying git clone for project private (attempt 2/4) after 1s
2026/06/25 06:24:51 Cloning project private to /projects/project-clone-3314971623/private
Cloning into '/projects/project-clone-3314971623/private'...
remote: Repository not found.
fatal: Authentication failed for 'https://github.com/vinokurig/private.git/'
2026/06/25 06:24:52 Failed git clone for project private (attempt 2/4): failed to git clone from https://github.com/vinokurig/private.git: exit status 128
2026/06/25 06:24:52 Retrying git clone for project private (attempt 3/4) after 2s
2026/06/25 06:24:54 Cloning project private to /projects/project-clone-3314971623/private
Cloning into '/projects/project-clone-3314971623/private'...
remote: Repository not found.
fatal: Authentication failed for 'https://github.com/vinokurig/private.git/'
2026/06/25 06:24:54 Failed git clone for project private (attempt 3/4): failed to git clone from https://github.com/vinokurig/private.git: exit status 128
2026/06/25 06:24:54 Retrying git clone for project private (attempt 4/4) after 4s
2026/06/25 06:24:58 Cloning project private to /projects/project-clone-3314971623/private
Cloning into '/projects/project-clone-3314971623/private'...
remote: Repository not found.
fatal: Authentication failed for 'https://github.com/vinokurig/private.git/'
2026/06/25 06:24:59 Encountered error while setting up project private: failed to clone project: failed to git clone from https://github.com/vinokurig/private.git: exit status 128

project-clone logs without fix (HTTPS clone triggers askpass errors):

🔹 Logs for container: project-clone
2026/06/25 06:37:09 Using temporary directory /projects/project-clone-1261159005
2026/06/25 06:37:09 Read DevWorkspace at /devworkspace-metadata/flattened.devworkspace.yaml
2026/06/25 06:37:09 Processing project private
2026/06/25 06:37:09 Cloning project private to /projects/project-clone-1261159005/private
Cloning into '/projects/project-clone-1261159005/private'...
Error: passphrase file is missing in the '/etc/ssh/' directory
error: unable to read askpass response from '/.ssh-askpass/ssh-askpass.sh'
fatal: could not read Username for 'https://github.com': No such device or address
2026/06/25 06:37:10 Failed git clone for project private (attempt 1/4): failed to git clone from https://github.com/vinokurig/private.git: exit status 128
2026/06/25 06:37:10 Retrying git clone for project private (attempt 2/4) after 1s
2026/06/25 06:37:11 Cloning project private to /projects/project-clone-1261159005/private
Cloning into '/projects/project-clone-1261159005/private'...
Error: passphrase file is missing in the '/etc/ssh/' directory
error: unable to read askpass response from '/.ssh-askpass/ssh-askpass.sh'
fatal: could not read Username for 'https://github.com': No such device or address
2026/06/25 06:37:11 Failed git clone for project private (attempt 2/4): failed to git clone from https://github.com/vinokurig/private.git: exit status 128
2026/06/25 06:37:11 Retrying git clone for project private (attempt 3/4) after 2s
2026/06/25 06:37:13 Cloning project private to /projects/project-clone-1261159005/private
Cloning into '/projects/project-clone-1261159005/private'...
Error: passphrase file is missing in the '/etc/ssh/' directory
error: unable to read askpass response from '/.ssh-askpass/ssh-askpass.sh'
fatal: could not read Username for 'https://github.com': No such device or address
2026/06/25 06:37:14 Failed git clone for project private (attempt 3/4): failed to git clone from https://github.com/vinokurig/private.git: exit status 128
2026/06/25 06:37:14 Retrying git clone for project private (attempt 4/4) after 4s
2026/06/25 06:37:18 Cloning project private to /projects/project-clone-1261159005/private
Cloning into '/projects/project-clone-1261159005/private'...
Error: passphrase file is missing in the '/etc/ssh/' directory
error: unable to read askpass response from '/.ssh-askpass/ssh-askpass.sh'
fatal: could not read Username for 'https://github.com': No such device or address
2026/06/25 06:37:19 Encountered error while setting up project private: failed to clone project: failed to git clone from https://github.com/vinokurig/private.git: exit status 128

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rohanKanojia, vinokurig
Once this PR has been reviewed and has the lgtm label, please assign dkwon17 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

New changes are detected. LGTM label has been removed.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/provision/workspace/ssh-askpass.sh`:
- Around line 3-8: The askpass guard in ssh-askpass.sh has broken shell syntax,
so fix the malformed case pattern in the prompt check and remove the stray
unmatched fi after esac. Update the case block around the existing
prompt-matching logic so it parses cleanly under /bin/sh, and keep the fallback
branch in the case statement exiting 0 for non-passphrase prompts.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5b18987d-345e-4d4c-9f2a-fd0faed12bb1

📥 Commits

Reviewing files that changed from the base of the PR and between a31023f and 689b5c1.

📒 Files selected for processing (1)

• pkg/provision/workspace/ssh-askpass.sh

[vinokurig]

/ok-to-test

[openshift-ci]

@vinokurig: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

Details

In response to this:

/ok-to-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

♻️ Duplicate comments (1)

pkg/provision/workspace/ssh-askpass.sh (1)

3-4: 🩺 Stability & Availability | 🔴 Critical | ⚡ Quick win

Fix the malformed case pattern (script currently won’t parse).

At Line 4, the pattern escaping is invalid, which breaks parsing under /bin/sh and prevents the helper from running.

Minimal POSIX-safe fix

 case "$1" in
-  \"Enter passphrase for key \'*) ;;
+  "Enter passphrase for key '"*) ;;
   *) exit 0 ;;
 esac

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/provision/workspace/ssh-askpass.sh` around lines 3 - 4, The `case`
pattern in the `ssh-askpass.sh` script is malformed and causes `/bin/sh` parsing
to fail. Update the `case "$1" in` branch so the quoted passphrase prompt
pattern is written in valid POSIX shell syntax, keeping the matching behavior
intact. Use the `case` statement and its existing passphrase prompt branch as
the locator for the fix.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@pkg/provision/workspace/ssh-askpass.sh`:
- Around line 3-4: The `case` pattern in the `ssh-askpass.sh` script is
malformed and causes `/bin/sh` parsing to fail. Update the `case "$1" in` branch
so the quoted passphrase prompt pattern is written in valid POSIX shell syntax,
keeping the matching behavior intact. Use the `case` statement and its existing
passphrase prompt branch as the locator for the fix.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a9ca1eb2-b38f-4d56-86b8-9bc08701eb65

📥 Commits

Reviewing files that changed from the base of the PR and between 689b5c1 and 09069d1.

📒 Files selected for processing (1)

• pkg/provision/workspace/ssh-askpass.sh

[vinokurig]

/ok-to-test

[openshift-ci]

@vinokurig: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

Details

In response to this:

/ok-to-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[tolusha]

/che-ai-assistant ok-pr-readiness

Review is complete. Please check the review comments below.

[tolusha]

PR Readiness Assessment: PR #1658 — fix: handle non-passphrase SSH prompts in askpass script

Repository: devfile/devworkspace-operator
Linked Issue: eclipse-che/che#23874 — Investigate the ssh askpass error on https url workspace start

---

#	Criterion	Verdict	Notes
1	Problem Statement	PASS	PR and linked issue clearly describe the bug: askpass script responds to all SSH prompts (including HTTPS username/password requests), causing "passphrase file is missing" errors when cloning via HTTPS.
2	Reproduction Steps	PASS	Detailed reproduction provided: apply the DevWorkspace YAML with a private git repository, then check project-clone container logs for errors.
3	Expected Behavior After Fix	PASS	Clear expectation: project-clone container logs should show no error messages when using HTTPS URLs.
4	Scope of Changes	PASS	Single file modified (ssh-askpass.sh) with a focused 5-line change to filter prompts. Rationale is well-explained.
5	Test Evidence	WARN	Manual testing procedure is documented, but no test results or logs have been posted yet showing the fix works. E2E tests are pending.
6	Deployment & Verification Notes	PASS	Specific verification guidance provided: deploy a DevWorkspace with a private HTTPS repo and confirm no askpass errors in project-clone logs.

Overall: READY

---

Missing Information

• Post manual testing results: Run the provided test case and share the project-clone container logs showing the fix works (no askpass errors for HTTPS repos).
• E2E test results: Once /test v8-devworkspace-operator-e2e, v8-che-happy-path is run, confirm both test suites pass.

What's Good

• Clear problem diagnosis: The PR and linked issue together provide excellent context on why the askpass script was being triggered inappropriately.
• Minimal, surgical fix: The change is well-scoped — exactly 5 lines to add prompt filtering without touching other logic.
• Actionable reproduction steps: The provided DevWorkspace YAML makes it easy for reviewers to reproduce and verify the fix.
• Good inline documentation: The added comment explains why non-passphrase prompts are filtered out.
• Linked issue: Proper traceability between the PR and the original bug report.