Skip to content

fix: fail fast on ssh passphrase - instead of 60 second hang#910

Open
huntharo wants to merge 1 commit intovercel-labs:mainfrom
huntharo:codex/ssh-passphrase-fail-fast-main
Open

fix: fail fast on ssh passphrase - instead of 60 second hang#910
huntharo wants to merge 1 commit intovercel-labs:mainfrom
huntharo:codex/ssh-passphrase-fail-fast-main

Conversation

@huntharo
Copy link
Copy Markdown

@huntharo huntharo commented Apr 11, 2026
edited
Loading

Summary

  • detect SSH clone aliases whose configured identity is passphrase-protected and not currently usable through the active SSH agent path
  • fail before the 60s clone timeout instead of leaving users on Cloning repository... with a generic private-repo timeout
  • add focused regression coverage for SSH alias parsing and passphrase dead-end detection
  • This is intended to go before fix: hand off tty for interactive ssh clone prompts #911
    • The second PR actually fixes the ability to prompt for the password

What Changed

This patch adds a lightweight SSH preflight in src/git.ts before git clone starts:

  • parse SSH clone URLs and host aliases
  • inspect ssh -G <host> to resolve IdentityFile and IdentitiesOnly
  • detect passphrase-protected private keys with ssh-keygen -y -P '' -f <identity>
  • probe whether the identity is already usable through the current agent path via ssh-add -T <identity>.pub
  • if the key is passphrase-protected and not agent-usable, surface a targeted GitCloneError immediately

This branch does not implement the interactive retry yet. It only removes the dead-end where a non-interactive SSH clone sits behind the spinner until the 60s timeout.

Verification

Automated:

  • pnpm test src/git.test.ts
  • pnpm format:check

Manual validation performed while developing this fix:

  • no-agent passphrase alias:
    • npx skills add --list git@github-passphrase-giphy:Giphy/giphy-codex-skills.git
    • current branch behavior: immediate targeted SSH/passphrase error instead of the old 60s timeout path
  • 1Password agent alias:
    • npx skills add --list git@github-1p-giphy:Giphy/giphy-codex-skills.git
    • agent-backed auth still works when the key is available through 1Password

Sanitized SSH config snippets used for repro:

Host github-passphrase-giphy
    HostName github.com
    User git
    IdentityFile ~/.ssh/id_rsa_github_passphrase_giphy
    IdentitiesOnly yes
Host github-1p-giphy
    HostName github.com
    User git
    IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
    IdentityFile ~/.ssh/id_rsa_github_passphrase_giphy.pub
    IdentitiesOnly yes

SSH with Passphrase - No SSH Agent

Before - Hangs for 60 Seconds

image

After - SSH with Passphrase - Fast Fails (< 1 second)

image

Notes

  • GIT_TERMINAL_PROMPT=0 does not suppress SSH passphrase prompts; it only affects Git's own credential prompting
  • the follow-up stacked PR will handle the interactive TTY case by retrying without the spinner so native SSH prompts and Ctrl-C work normally

@huntharo huntharo mentioned this pull request Apr 11, 2026
Draft
@huntharo huntharo changed the title fix: fail fast on ssh passphrase clone dead-ends fix: fail fast on ssh passphrase - instead of 60 second hang Apr 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@huntharo