fix(ssh): handle encrypted key passphrase prompts when editing comments

alexkucherenko · alexkucherenko · commit cdc8b4f49116 · 2025-12-27T19:03:13.000+01:00
- Add TUI suspension for encrypted SSH keys to allow passphrase input
- Connect stdin/stdout/stderr to ssh-keygen command for interactive prompts
- Improve encryption detection by checking for "bcrypt" cipher indicator
- Propagate encryption and public key status when merging agent keys
- Update help text formatting in server details view
- Change warning icon for missing public keys
diff --git a/internal/adapters/ui/handlers.go b/internal/adapters/ui/handlers.go
@@ -1016,14 +1016,29 @@ func (t *tui) handleEditKeyComment() {
 	editor := NewEditKeyComment(t.app).
 		SetKey(key.Name, key.Path, key.Comment).
 		OnSave(func(newComment string) {
-			// Update the key comment using gitService
-			if err := t.gitService.UpdateKeyComment(key.Path, newComment); err != nil {
-				t.storeErrorf("[Edit SSH Key Comment] Failed to update comment for '%s': %v", key.Name, err)
-				t.showStatusTempColor(fmt.Sprintf("Failed to update comment: %v", err), "#FF6B6B")
-			} else {
-				t.showStatusTemp("SSH key comment updated successfully")
-				// Refresh the SSH keys list to show the updated comment
+			// For encrypted keys, suspend TUI to allow passphrase input
+			if key.IsEncrypted {
+				t.app.Suspend(func() {
+					if err := t.gitService.UpdateKeyComment(key.Path, newComment); err != nil {
+						fmt.Printf("\nFailed to update comment: %v\n", err)
+						fmt.Print("Press Enter to continue...")
+						var dummy string
+						_, _ = fmt.Scanln(&dummy)
+					}
+				})
+				// Refresh after suspend (back in main thread)
 				t.refreshSSHKeysList()
+				t.showStatusTemp("SSH key comment updated successfully")
+			} else {
+				// For unencrypted keys, update directly
+				if err := t.gitService.UpdateKeyComment(key.Path, newComment); err != nil {
+					t.storeErrorf("[Edit SSH Key Comment] Failed to update comment for '%s': %v", key.Name, err)
+					t.showStatusTempColor(fmt.Sprintf("Failed to update comment: %v", err), "#FF6B6B")
+				} else {
+					t.showStatusTemp("SSH key comment updated successfully")
+					// Refresh the SSH keys list to show the updated comment
+					t.refreshSSHKeysList()
+				}
 			}
 		}).
 		OnCancel(t.handleModalClose)
@@ -1072,11 +1087,23 @@ func (t *tui) handleEditServerKeyComment() {
 	editor := NewEditKeyComment(t.app).
 		SetKey(sshKey.Name, sshKey.Path, sshKey.Comment).
 		OnSave(func(newComment string) {
-			// Update the key comment using gitService
-			if err := t.gitService.UpdateKeyComment(sshKey.Path, newComment); err != nil {
-				t.storeErrorf("[Edit SSH Key Comment] Failed to update comment for '%s': %v", sshKey.Name, err)
-				t.showStatusTempColor(fmt.Sprintf("Failed to update comment: %v", err), "#FF6B6B")
-				return
+			// For encrypted keys, suspend TUI to allow passphrase input
+			if sshKey.IsEncrypted {
+				t.app.Suspend(func() {
+					if err := t.gitService.UpdateKeyComment(sshKey.Path, newComment); err != nil {
+						fmt.Printf("\nFailed to update comment: %v\n", err)
+						fmt.Print("Press Enter to continue...")
+						var dummy string
+						_, _ = fmt.Scanln(&dummy)
+					}
+				})
+			} else {
+				// For unencrypted keys, update directly
+				if err := t.gitService.UpdateKeyComment(sshKey.Path, newComment); err != nil {
+					t.storeErrorf("[Edit SSH Key Comment] Failed to update comment for '%s': %v", sshKey.Name, err)
+					t.showStatusTempColor(fmt.Sprintf("Failed to update comment: %v", err), "#FF6B6B")
+					return
+				}
 			}
 
 			// If the key was loaded in the agent, we need to unload and reload it
diff --git a/internal/adapters/ui/server_details.go b/internal/adapters/ui/server_details.go
@@ -297,7 +297,7 @@ func (sd *ServerDetails) UpdateServer(server domain.Server) {
 	}
 
 	// Commands list
-	text += "\n[::b]Commands:[-]\n  Enter: SSH connect\n  f: Port forward\n  x: Stop forwarding\n  c: Copy SSH command\n  g: Ping server\n  r: Refresh list\n  a: Add new server\n  e: Edit entry\n  t: Edit tags\n  d: Delete entry\n  p: Pin/Unpin"
+	text += "\n[::b]Commands:[-]\n  [yellow]Enter[-]: SSH connect\n  [yellow]f[-]: Port forward\n  [yellow]x[-]: Stop forwarding\n  [yellow]c[-]: Copy SSH command\n  [yellow]g[-]: Ping server\n  [yellow]r[-]: Refresh list\n  [yellow]a[-]: Add new server\n  [yellow]e[-]: Edit entry\n  [yellow]t[-]: Edit tags\n  [yellow]d[-]: Delete entry\n  [yellow]p[-]: Pin/Unpin"
 
 	sd.TextView.SetText(text)
 }
diff --git a/internal/adapters/ui/sshkeys_list.go b/internal/adapters/ui/sshkeys_list.go
@@ -118,7 +118,7 @@ func formatSSHKeyLine(key domain.SSHKey) string {
 		flags += "[yellow]🔒[-] "
 	}
 	if !key.HasPublicKey {
-		flags += "[red]⚠[-] "
+		flags += "[red]⛅[-] "
 	}
 
 	return fmt.Sprintf("%s %s%s [dim](%s)[-]", indicator, flags, key.Name, typeInfo)
diff --git a/internal/core/services/git_service.go b/internal/core/services/git_service.go
@@ -660,8 +660,11 @@ func (gs *gitService) parseKeyFile(path string, agentKeys map[string]agentKeyInf
 		default:
 			key.Type = keyTypeRSA // Default assumption
 		}
+		// Check for encryption by looking for bcrypt cipher indicator
+		// Modern OpenSSH keys use "bcrypt" for encryption (base64: YmNyeXB0)
+		// Old PEM format uses "Proc-Type: 4,ENCRYPTED"
 		key.IsEncrypted = strings.Contains(contentStr, "Proc-Type: 4,ENCRYPTED") ||
-			!strings.Contains(contentStr, "-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAA")
+			strings.Contains(contentStr, "YmNyeXB0") // bcrypt cipher indicator
 	case strings.Contains(contentStr, "DSA PRIVATE KEY"):
 		key.Type = keyTypeDSA
 		key.IsEncrypted = strings.Contains(contentStr, "ENCRYPTED")
@@ -971,6 +974,14 @@ func (gs *gitService) mergeAgentKeysWithFilesystem(keys []domain.SSHKey) []domai
 		if keys[i].Size == 0 && fsKey.Size > 0 {
 			keys[i].Size = fsKey.Size
 		}
+		// Copy HasPublicKey from filesystem key
+		if fsKey.HasPublicKey {
+			keys[i].HasPublicKey = true
+		}
+		// Copy IsEncrypted from filesystem key
+		if fsKey.IsEncrypted {
+			keys[i].IsEncrypted = true
+		}
 	}
 
 	return keys
@@ -1095,7 +1106,10 @@ func (gs *gitService) UpdateKeyComment(keyPath, comment string) error {
 	// Use ssh-keygen to update the comment
 	// #nosec G204 -- keyPath and comment are validated inputs
 	cmd := exec.Command("ssh-keygen", "-c", "-C", comment, "-f", keyPath)
-	// Discard output - the command prints to stdout/stderr but we only care about success/failure
+	// Connect stdin/stdout/stderr for interactive passphrase prompt (for encrypted keys)
+	cmd.Stdin = os.Stdin
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
 	if err := cmd.Run(); err != nil {
 		// Restore original permissions on error
 		if privateReadonly {

Original file line number	Diff line number	Diff line change
`@@ -297,7 +297,7 @@ func (sd *ServerDetails) UpdateServer(server domain.Server) {`
`297`	`297`	`}`
`298`	`298`
`299`	`299`	`// Commands list`
`300`		`- text += "\n[::b]Commands:[-]\n Enter: SSH connect\n f: Port forward\n x: Stop forwarding\n c: Copy SSH command\n g: Ping server\n r: Refresh list\n a: Add new server\n e: Edit entry\n t: Edit tags\n d: Delete entry\n p: Pin/Unpin"`
	`300`	`+ text += "\n[::b]Commands:[-]\n [yellow]Enter[-]: SSH connect\n [yellow]f[-]: Port forward\n [yellow]x[-]: Stop forwarding\n [yellow]c[-]: Copy SSH command\n [yellow]g[-]: Ping server\n [yellow]r[-]: Refresh list\n [yellow]a[-]: Add new server\n [yellow]e[-]: Edit entry\n [yellow]t[-]: Edit tags\n [yellow]d[-]: Delete entry\n [yellow]p[-]: Pin/Unpin"`
`301`	`301`
`302`	`302`	`sd.TextView.SetText(text)`
`303`	`303`	`}`
Original file line number	Diff line number	Diff line change
`@@ -118,7 +118,7 @@ func formatSSHKeyLine(key domain.SSHKey) string {`
`118`	`118`	`flags += "[yellow]🔒[-] "`
`119`	`119`	`}`
`120`	`120`	`if !key.HasPublicKey {`
`121`		`- flags += "[red]⚠[-] "`
	`121`	`+ flags += "[red]⛅[-] "`
`122`	`122`	`}`
`123`	`123`
`124`	`124`	`return fmt.Sprintf("%s %s%s [dim](%s)[-]", indicator, flags, key.Name, typeInfo)`