diff --git a/src/applications/almanac/util/AlmanacKeys.php b/src/applications/almanac/util/AlmanacKeys.php
--- a/src/applications/almanac/util/AlmanacKeys.php
+++ b/src/applications/almanac/util/AlmanacKeys.php
@@ -48,4 +48,22 @@
     return $device;
   }
 
+  public static function getClusterSSHUser() {
+    // NOTE: When instancing, we currently use the SSH username to figure out
+    // which instance you are connecting to. We can't use the host name because
+    // we have no way to tell which host you think you're reaching: the SSH
+    // protocol does not have a mechanism like a "Host" header.
+    $username = PhabricatorEnv::getEnvConfig('cluster.instance');
+    if (strlen($username)) {
+      return $username;
+    }
+
+    $username = PhabricatorEnv::getEnvConfig('diffusion.ssh-user');
+    if (strlen($username)) {
+      return $username;
+    }
+
+    return null;
+  }
+
 }
diff --git a/src/applications/diffusion/ssh/DiffusionSSHWorkflow.php b/src/applications/diffusion/ssh/DiffusionSSHWorkflow.php
--- a/src/applications/diffusion/ssh/DiffusionSSHWorkflow.php
+++ b/src/applications/diffusion/ssh/DiffusionSSHWorkflow.php
@@ -62,15 +62,12 @@
   protected function getProxyCommand() {
     $uri = new PhutilURI($this->proxyURI);
 
-    $username = PhabricatorEnv::getEnvConfig('cluster.instance');
-    if (!strlen($username)) {
-      $username = PhabricatorEnv::getEnvConfig('diffusion.ssh-user');
-      if (!strlen($username)) {
-        throw new Exception(
-          pht(
-            'Unable to determine the username to connect with when trying '.
-            'to proxy an SSH request within the Phabricator cluster.'));
-      }
+    $username = AlmanacKeys::getClusterSSHUser();
+    if ($username === null) {
+      throw new Exception(
+        pht(
+          'Unable to determine the username to connect with when trying '.
+          'to proxy an SSH request within the Phabricator cluster.'));
     }
 
     $port = $uri->getPort();
diff --git a/src/applications/repository/storage/PhabricatorRepository.php b/src/applications/repository/storage/PhabricatorRepository.php
--- a/src/applications/repository/storage/PhabricatorRepository.php
+++ b/src/applications/repository/storage/PhabricatorRepository.php
@@ -1348,8 +1348,8 @@
       $uri->setPath($uri->getPath().$this->getCloneName().'/');
     }
 
-    $ssh_user = PhabricatorEnv::getEnvConfig('diffusion.ssh-user');
-    if ($ssh_user) {
+    $ssh_user = AlmanacKeys::getClusterSSHUser();
+    if ($ssh_user !== null) {
       $uri->setUser($ssh_user);
     }
 
@@ -2324,7 +2324,12 @@
           'refusing new writes.'));
     }
 
-    $max_version = $this->synchronizeWorkingCopyBeforeRead();
+    try {
+      $max_version = $this->synchronizeWorkingCopyBeforeRead();
+    } catch (Exception $ex) {
+      $write_lock->unlock();
+      throw $ex;
+    }
 
     PhabricatorRepositoryWorkingCopyVersion::willWrite(
       $repository_phid,
diff --git a/src/applications/repository/storage/PhabricatorRepositoryURI.php b/src/applications/repository/storage/PhabricatorRepositoryURI.php
--- a/src/applications/repository/storage/PhabricatorRepositoryURI.php
+++ b/src/applications/repository/storage/PhabricatorRepositoryURI.php
@@ -227,7 +227,7 @@
   private function getForcedUser() {
     switch ($this->getBuiltinProtocol()) {
       case self::BUILTIN_PROTOCOL_SSH:
-        return PhabricatorEnv::getEnvConfig('diffusion.ssh-user');
+        return AlmanacKeys::getClusterSSHUser();
       default:
         return null;
     }