fix: handle non-passphrase SSH prompts in askpass script

[vinokurig]

What does this PR do?

Add early exit for SSH prompts that aren't requesting passphrase input. This prevents the askpass script from attempting to provide a passphrase for other SSH prompts like host key verification.

What issues does this PR fix or reference?

fixes eclipse-che/che#23874

Is it tested? How?

1. Apply a DevWorkspace with a private git repository e.g.

apiVersion: workspace.devfile.io/v1alpha2
kind: DevWorkspace
metadata:
  name: private
spec:
  started: true
  template:
    components:
      - container:
          env:
            - name: HOST_USERS
              value: 'true'
          image: 'quay.io/devfile/universal-developer-image:ubi9-latest'
          sourceMapping: /projects
        name: universal-developer-image
    projects:
      - git:
          remotes:
            origin: 'https://github.com/vinokurig/private.git'
        name: private

2. Check the project-clone container logs and see no error messages.

PR Checklist

• E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
  • v8-devworkspace-operator-e2e: DevWorkspace e2e test
  • v8-che-happy-path: Happy path for verification integration with Che

Summary by CodeRabbit

• Bug Fixes
  • Improved SSH askpass handling to respond only to key passphrase prompts.
  • Non-passphrase prompts (e.g., username/password requests) are now ignored to prevent incorrect answers.

[openshift-ci]

Hi @vinokurig. Thanks for your PR.

I'm waiting for a devfile member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Warning

Review limit reached

@vinokurig, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 54 minutes and 49 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8f7224a1-70e7-4266-82e3-c53f6a8b6c23

📥 Commits

Reviewing files that changed from the base of the PR and between 689b5c1 and 0b18cda.

📒 Files selected for processing (1)

• pkg/provision/workspace/ssh-askpass.sh

📝 Walkthrough

Walkthrough

ssh-askpass.sh now checks its first prompt argument and only handles Enter passphrase for key ... requests. Other prompt types exit immediately with status 0.

Changes

ssh-askpass prompt filtering

Layer / File(s)	Summary
Prompt-type guard pkg/provision/workspace/ssh-askpass.sh	Adds a conditional check on the first argument; non-matching prompts exit silently with status 0, so the helper does not respond to HTTPS credential prompts.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Poem

🐰 I sniff the prompt and give a hop,
Only key passphrases get my stop.
HTTPS calls? I fade away,
Quiet as moss at the end of day.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main fix in the askpass script for non-passphrase SSH prompts.
Linked Issues check	✅ Passed	The change matches #23874 by preventing ssh askpass from handling HTTPS/non-passphrase prompts and removing the startup error path.
Out of Scope Changes check	✅ Passed	The PR is scoped to the askpass script and contains no apparent unrelated changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[tolusha]

Hi! I'm che-ai-assistant — I help with your pull requests.

Available commands:

• /che-ai-assistant generate-che-doc — Generate a documentation PR based on this PR's changes
• /che-ai-assistant ok-pr-review — Run a comprehensive PR review (summary, code review, deep review, impact analysis)
• /che-ai-assistant help — Show this help message

[rohanKanojia]

/che-ai-assistant ok-pr-review

Review is complete. Please check the review comments below.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/provision/workspace/ssh-askpass.sh`:
- Around line 3-5: The askpass guard in ssh-askpass.sh is using a bash-only
conditional even though the script is declared with a POSIX shell shebang.
Update the prompt check in the top-level guard to use POSIX-compatible syntax
such as a case statement, and keep the behavior in the script’s early-exit path
the same so only prompts matching the passphrase prefix continue while all other
prompts exit cleanly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 340019fc-3154-459d-b6e7-ea31c75e11ea

📥 Commits

Reviewing files that changed from the base of the PR and between af782ad and a31023f.

📒 Files selected for processing (1)

• pkg/provision/workspace/ssh-askpass.sh

[tolusha]

Comprehensive Review Summary

I've completed a multi-stage review (summary, standard, deep, and impact analysis) of this PR. Here's the consolidated feedback:

Critical Issue - Must Fix Before Merge

POSIX Shell Compatibility (line 3): The script declares #!/bin/sh but uses [[ ]] syntax, which is bash-specific. On workspace containers using Alpine, BusyBox, or other images where /bin/sh is dash/ash, this will produce a syntax error and break all SSH operations.

Fix: Replace with POSIX case statement:

case "$1" in
  "Enter passphrase for key '"*) ;;
  *) exit 0 ;;
esac

This issue was also flagged by CodeRabbit/ShellCheck SC3010.

Suggestions (Non-Blocking)

1. Add test coverage: Consider adding a Go test to validate the embedded script is valid POSIX shell (sh -n syntax check)
2. Observability: The new guard exits silently for non-passphrase prompts. Consider adding optional debug logging (e.g., echo "DEBUG: ignoring non-passphrase prompt: $1" >&2 behind an env var) to aid production debugging
3. Shell best practices: While not introduced by this PR, consider quoting $PASSPHRASE_FILE_PATH in the existing file check to follow POSIX best practices

Does This PR Solve the Issue?

✅ Yes - This correctly fixes eclipse-che/che#23874 by preventing the askpass script from responding to HTTPS credential prompts with misleading SSH passphrase errors.

Positive Feedback

• ✅ Minimal, well-scoped fix
• ✅ Clear comment explaining the intent
• ✅ PR description includes reproduction steps and links to upstream issue
• ✅ Pattern match is specific enough to avoid false positives

Review Verdict

🔄 Request Changes - The POSIX shell compatibility issue must be fixed (straightforward case statement replacement). Everything else looks good.

---

Review generated by Claude Code with ok-pr-review skills: /ok-pr-review:learn-repo, /ok-pr-review:summary, /ok-pr-review:review, /ok-pr-review:deep-review, /ok-pr-review:impact

[rohanKanojia]

I tested the PR with abovementioned steps and can confirm it's working as expected:

project-clone logs with fix (askpass no longer interferes):

Logs for container: project-clone
2026/06/25 06:24:49 Using temporary directory /projects/project-clone-3314971623
2026/06/25 06:24:49 Read DevWorkspace at /devworkspace-metadata/flattened.devworkspace.yaml
2026/06/25 06:24:49 Processing project private
2026/06/25 06:24:49 Cloning project private to /projects/project-clone-3314971623/private
Cloning into '/projects/project-clone-3314971623/private'...
remote: Repository not found.
fatal: Authentication failed for 'https://github.com/vinokurig/private.git/'
2026/06/25 06:24:50 Failed git clone for project private (attempt 1/4): failed to git clone from https://github.com/vinokurig/private.git: exit status 128
2026/06/25 06:24:50 Retrying git clone for project private (attempt 2/4) after 1s
2026/06/25 06:24:51 Cloning project private to /projects/project-clone-3314971623/private
Cloning into '/projects/project-clone-3314971623/private'...
remote: Repository not found.
fatal: Authentication failed for 'https://github.com/vinokurig/private.git/'
2026/06/25 06:24:52 Failed git clone for project private (attempt 2/4): failed to git clone from https://github.com/vinokurig/private.git: exit status 128
2026/06/25 06:24:52 Retrying git clone for project private (attempt 3/4) after 2s
2026/06/25 06:24:54 Cloning project private to /projects/project-clone-3314971623/private
Cloning into '/projects/project-clone-3314971623/private'...
remote: Repository not found.
fatal: Authentication failed for 'https://github.com/vinokurig/private.git/'
2026/06/25 06:24:54 Failed git clone for project private (attempt 3/4): failed to git clone from https://github.com/vinokurig/private.git: exit status 128
2026/06/25 06:24:54 Retrying git clone for project private (attempt 4/4) after 4s
2026/06/25 06:24:58 Cloning project private to /projects/project-clone-3314971623/private
Cloning into '/projects/project-clone-3314971623/private'...
remote: Repository not found.
fatal: Authentication failed for 'https://github.com/vinokurig/private.git/'
2026/06/25 06:24:59 Encountered error while setting up project private: failed to clone project: failed to git clone from https://github.com/vinokurig/private.git: exit status 128

project-clone logs without fix (HTTPS clone triggers askpass errors):

🔹 Logs for container: project-clone
2026/06/25 06:37:09 Using temporary directory /projects/project-clone-1261159005
2026/06/25 06:37:09 Read DevWorkspace at /devworkspace-metadata/flattened.devworkspace.yaml
2026/06/25 06:37:09 Processing project private
2026/06/25 06:37:09 Cloning project private to /projects/project-clone-1261159005/private
Cloning into '/projects/project-clone-1261159005/private'...
Error: passphrase file is missing in the '/etc/ssh/' directory
error: unable to read askpass response from '/.ssh-askpass/ssh-askpass.sh'
fatal: could not read Username for 'https://github.com': No such device or address
2026/06/25 06:37:10 Failed git clone for project private (attempt 1/4): failed to git clone from https://github.com/vinokurig/private.git: exit status 128
2026/06/25 06:37:10 Retrying git clone for project private (attempt 2/4) after 1s
2026/06/25 06:37:11 Cloning project private to /projects/project-clone-1261159005/private
Cloning into '/projects/project-clone-1261159005/private'...
Error: passphrase file is missing in the '/etc/ssh/' directory
error: unable to read askpass response from '/.ssh-askpass/ssh-askpass.sh'
fatal: could not read Username for 'https://github.com': No such device or address
2026/06/25 06:37:11 Failed git clone for project private (attempt 2/4): failed to git clone from https://github.com/vinokurig/private.git: exit status 128
2026/06/25 06:37:11 Retrying git clone for project private (attempt 3/4) after 2s
2026/06/25 06:37:13 Cloning project private to /projects/project-clone-1261159005/private
Cloning into '/projects/project-clone-1261159005/private'...
Error: passphrase file is missing in the '/etc/ssh/' directory
error: unable to read askpass response from '/.ssh-askpass/ssh-askpass.sh'
fatal: could not read Username for 'https://github.com': No such device or address
2026/06/25 06:37:14 Failed git clone for project private (attempt 3/4): failed to git clone from https://github.com/vinokurig/private.git: exit status 128
2026/06/25 06:37:14 Retrying git clone for project private (attempt 4/4) after 4s
2026/06/25 06:37:18 Cloning project private to /projects/project-clone-1261159005/private
Cloning into '/projects/project-clone-1261159005/private'...
Error: passphrase file is missing in the '/etc/ssh/' directory
error: unable to read askpass response from '/.ssh-askpass/ssh-askpass.sh'
fatal: could not read Username for 'https://github.com': No such device or address
2026/06/25 06:37:19 Encountered error while setting up project private: failed to clone project: failed to git clone from https://github.com/vinokurig/private.git: exit status 128

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rohanKanojia, vinokurig
Once this PR has been reviewed and has the lgtm label, please assign dkwon17 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

New changes are detected. LGTM label has been removed.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/provision/workspace/ssh-askpass.sh`:
- Around line 3-8: The askpass guard in ssh-askpass.sh has broken shell syntax,
so fix the malformed case pattern in the prompt check and remove the stray
unmatched fi after esac. Update the case block around the existing
prompt-matching logic so it parses cleanly under /bin/sh, and keep the fallback
branch in the case statement exiting 0 for non-passphrase prompts.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5b18987d-345e-4d4c-9f2a-fd0faed12bb1

📥 Commits

Reviewing files that changed from the base of the PR and between a31023f and 689b5c1.

📒 Files selected for processing (1)

• pkg/provision/workspace/ssh-askpass.sh

[coderabbitai]

🩺 Stability & Availability | 🔴 Critical | ⚡ Quick win

Syntax is broken in the prompt guard and prevents the script from running.

At Line 4, the case item pattern is malformed, and at Line 8 there is an unmatched fi after esac. This makes the script fail to parse under /bin/sh, so the askpass helper won’t work at all. Please correct the case pattern and remove the stale fi/extra branch residue so non-passphrase prompts still exit cleanly.

🧰 Tools

🪛 Shellcheck (0.11.0)

[info] 3-3: The mentioned syntax error was in this case expression.

(SC1009)

---

[error] 4-4: Couldn't parse this case item. Fix to allow more checks.

(SC1073)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/provision/workspace/ssh-askpass.sh` around lines 3 - 8, The askpass guard
in ssh-askpass.sh has broken shell syntax, so fix the malformed case pattern in
the prompt check and remove the stray unmatched fi after esac. Update the case
block around the existing prompt-matching logic so it parses cleanly under
/bin/sh, and keep the fallback branch in the case statement exiting 0 for
non-passphrase prompts.

Source: Linters/SAST tools