https://bugs.kde.org/show_bug.cgi?id=506243
Bug ID: 506243
Summary: gpg-agent should not be used in place of ssh-agent,
possibly breaks users' security expectations
Classification: KDE Neon
Product: neon
Version First unspecified
Reported In:
Platform: Neon
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: general
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected], [email protected],
[email protected]
Target Milestone: ---
SUMMARY
KDE Neon installs with gpg-agent configured to also act as the ssh-agent. This
causes unexpected behaviors that can cause security concerns for users. The
gpg-agent will accept ssh keys like any ssh-agent, but it refuses to remove
them when asked, even though it will claim it did.
STEPS TO REPRODUCE
1. Create ssh key: "ssh-keygen" and accept the defaults
2. Add the key to the ssh-agent: "ssh-add ~/.ssh/id_ed25519"
3. Verify key was added: ssh-add -l
4. Remove the key from the ssh-agent (you will see it say "all identities
removed"): ssh-add -D
5. Check again and see that the key was not in fact removed: ssh-add -l
6. Try to remove the key from the system completely: rm ~/.ssh/id_ed25519*
7. Reboot
8. Verify the key file is gone: ls ~/.ssh
9. Verify the key is STILL in ssh-agent: ssh-add -l
OBSERVED RESULT
When ssh-add -D is run to remove all keys, the user is told that the keys were
removed, but the ssh-keys were not removed.
EXPECTED RESULT
When the ssh-agent says it has removed an ssh key, I expect that to be the
truth.
SOFTWARE/OS VERSIONS
Operating System: KDE neon User Edition
KDE Plasma Version: 6.4.1
KDE Frameworks Version: 6.15.0
Qt Version: 6.9.0
Kernel Version: 6.11.0-25-generic (64-bit)
Graphics Platform: Wayland
Processors: 12 × Intel® Core™ i7-10750H CPU @ 2.60GHz
Memory: 32 GiB of RAM (31.0 GiB usable)
Graphics Processor 1: Intel® UHD Graphics
Graphics Processor 2: NVIDIA GeForce GTX 1650 Ti
ADDITIONAL INFORMATION
This has been reported as a bug to the gpg-agent developers who have closed the
bug, seemingly refusing to fix the issue ( https://dev.gnupg.org/T3284 ). I
think this makes gpg-agent an unacceptable substitute for ssh-agent. Consider
this use case that is broken by gpg-agent. Lots of password managers
(keepass/keepasxc for example) allow ssh keys to be stored in the password
manager. When the password database is unlocked, the keys are added to the
ssh-agent, and then when the database is closed the keys are removed. The
gpg-agent acting as an ssh-agent breaks this by claiming that it has removed
the keys when ask, even though it did not.
I want to be clear, I am not saying that this is a security vulnerability. It
is just an unexpected behavior in a security-significant context.
--
You are receiving this mail because:
You are watching all bug changes.
