I have been unable to get CliGitAPIImpl to work with a private key with passphrase on a Linux slave to connect to a nonpublic Git repository. (Selecting the option to load from the default location, ~/.ssh/id_dsa.) I always get
Permission denied (publickey).
I verified that GIT_SSH and SSH_ASKPASS are being set and that the files they point to have the expected contents (by patching the plugin to not delete these files in its finally block). Indeed when I log in to the slave, set these variables to the same files, and run git clone <repo>, it works fine.
If I set the job to use JGit rather than CLI git, it also works fine, so I do not think I am just using the wrong credentials.
I also tested with a private key (specific file on master) with no passphrase. This worked fine (with both JGit and CLI).
I thought one explanation was that ssh thought it was running from a terminal (even though it should not be) and so ignored SSH_ASKPASS. Indeed to interactively verify the GIT_SSH / SSH_ASKPASS combination you have to prefix the git command with setsid if you want the passphrase script to be consulted. But I see the same problem even when I patch the plugin to prefix all git commands with setsid.
So https://github.com/jenkinsci/git-client-plugin/commit/4b4d59d29894ac6eccab969561d2df5207a88f60 is not working for me, for unknown reasons. Whether or not it is working for others, I would suggest a simplifying change to CliGitAPIImpl: rather than relying on SSH_ASKPASS, decrypt the private key in Java code (I think there is code for this in one of the libraries available to this plugin) and save that to the keyfile.
Note that GitPluginTest in acceptance-test-harness does not seem to test passphrases. (Nor does it test private keys that are not entered directly but loaded from a file on master, another important use case.)