[Bug 505278] Re: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added?
This isn't a bug, it's a feature. Read the gnome-keyring website carefully, https://wiki.gnome.org/Projects/GnomeKeyring/Ssh [quote] This assumes some familiarity with the ssh-add command. See its man page for more info. You can use ssh-add to manually add keys for use in the SSH agent. These will be in addition to the automatically loaded keys. The ssh-add -D will remove any keys you've added manually. The ssh-add -D will lock any automatically loaded keys. ssh-add -l and ssh-add -L will always list automatically loaded keys. [/quote] This is exactly what happens in 14.04; automatically loaded keys get locked, manually added keys get removed from the agent. Automatically loaded keys are: [quote] The SSH agent automatically loads files in ~/.ssh which have corresponding *.pub paired files. Additional SSH keys can be manually loaded and managed via the ssh-add command. [/quote] On a side note, it seems 14.04 also starts the openssh 'ssh-agent' automatically, so effectively running two agents by default (is this intentional?). Ssh-agent stores its socket in /tmp. Try something like: SSH_AUTH_SOCK=/tmp/ssh-ABCDEF123456/agent.12345 ssh-add -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/505278 Title: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added? To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-keyring/+bug/505278/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 505278] Re: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added?
For those that are winding up at this bug report from searches looking to resolve the problem - regardless of platform, here's a quick fix: * Move the keys out of ~/.ssh * gnome-keyring-daemon -r -d It's certainly not an actual fix, but will at least resolve the immediate annoyance. More info here: https://wiki.archlinux.org/index.php/GNOME_Keyring -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/505278 Title: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added? To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-keyring/+bug/505278/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 505278] Re: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added?
Confirmed on 14.04.1. I'm irritated that security related bugs can have low priority. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/505278 Title: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added? To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-keyring/+bug/505278/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 505278] Re: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added?
Confirmed in 14.04.4 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/505278 Title: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added? To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-keyring/+bug/505278/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 505278] Re: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added?
Derek, what is 14.04.4? 12.04.4 or 14.04.1? Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/505278 Title: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added? To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-keyring/+bug/505278/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 505278] Re: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added?
Confirmed in 12.04 LTS. It's awful to see that this has been around since January 2010. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/505278 Title: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added? To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-keyring/+bug/505278/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 505278] Re: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added?
What is returned by `ssh-add -l' is a list of keys which have corresponding .pub files. I tried to connect to server H with some key K, and gave my password to a graphical ssh-askpass. Then it was possible to connect again without a password, as intended. After `ssh-add -d K', key K still appears in the list returned by ssh-add -l. But if I try to ssh again into H, ssh-askpass pops up. So in this test, it seems that after `ssh-add -d K' the private key material is not accessible anymore, which is what we want. (This behavior may have been different when this bug was opened). -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/505278 Title: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added? To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-keyring/+bug/505278/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 505278] Re: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added?
Has this bug been fixed in gpg-keyring-daemon? Neither solution proposed is workable for me. Leaving Gnome Keyring running hits the error of too many authentication attempts. Disabling the Gnome Keyring SSH Agent disables ssh-agent on Ubuntu login (10.04 64-bit AMD) - 'ps' shows no agent running. It seems an important feature to be able to disable automatic loading of all keys in .ssh for users like myself who have multiple keys stored for different binaries/processes. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/505278 Title: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added? To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-keyring/+bug/505278/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 505278] Re: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added?
The culprit is gpg-keyring-daemon. It subverts the normal operation of ssh-agent, mostly just so that it can pop up a pretty box into which you can type the passphrase for an encrypted ssh key. And it paws through your .ssh directory, and automatically adds any keys it finds to your agent. And it won't let you delete those keys. How do we hate this? Let's not count the ways -- life's too short. The failure is compounded because newer ssh clients automatically try all the keys in your ssh-agent when connecting to a host. If there are too many, the server will reject the connection. And since gnome- keyring-daemon has decided for itself how many keys you want your ssh- agent to have, and has autoloaded them, AND WON'T LET YOU DELETE THEM, you're toast. What you really want to do is to turn off gpg-keyring-daemon altogether. Go to System -- Preferences -- Startup Applications, and unselect the SSH Key Agent (Gnome Keyring SSH Agent) box -- you'll need to scroll down to find it. You'll still get an ssh-agent, only now it will behave sanely: no keys autoloaded, you run ssh-add to add them, and if you want to delete keys, you can. Imagine that. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/505278 Title: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added? -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 505278] Re: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added?
This bug looks like medium priority since it can totally block some ssh connections in following way: user with many keys connects to some server(s) and all his keys are cached. When he tries to ssh to another server, or filezilla sftp into it, or sshfs, or many other pubkey usecases, then often first all the keys will be tried, often resulting in server disconnecting (instead of tyring the correct key or instead of using the given plain password). In example Firezilla appears to first try all pubkeys of the user that started firezilla and that are in the agent (as seen on debug on server-side) instead of first using the given plain password. Then ssh-agent -D does not help to resolve the problem. -- ssh-add -D deleting all identities does not work. Also, why are all identities auto-added? https://bugs.launchpad.net/bugs/505278 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 505278] Re: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added?
The issue is an upstream one and it would be nice if somebody having it could send the bug the to the people writting the software (https://wiki.ubuntu.com/Bugs/Upstream/GNOME) ** Also affects: gnome-keyring Importance: Undecided Status: New -- ssh-add -D deleting all identities does not work. Also, why are all identities auto-added? https://bugs.launchpad.net/bugs/505278 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 505278] Re: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added?
the issue is rather a gnome-keyring one, seahorse does gpg not ssh... ** Package changed: seahorse (Ubuntu) = gnome-keyring (Ubuntu) ** Package changed: gnome-keyring (Ubuntu) = seahorse (Ubuntu) ** Package changed: seahorse (Ubuntu) = gnome-keyring (Ubuntu) ** Changed in: gnome-keyring (Ubuntu) Assignee: (unassigned) = Ubuntu Desktop Bugs (desktop-bugs) -- ssh-add -D deleting all identities does not work. Also, why are all identities auto-added? https://bugs.launchpad.net/bugs/505278 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 505278] Re: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added?
** Changed in: seahorse (Ubuntu) Status: New = Confirmed -- ssh-add -D deleting all identities does not work. Also, why are all identities auto-added? https://bugs.launchpad.net/bugs/505278 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 505278] Re: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added?
As described upstream, this appears to be the fault of seahorse, not openssh. ** Changed in: openssh (Ubuntu) Status: Confirmed = Invalid -- ssh-add -D deleting all identities does not work. Also, why are all identities auto-added? https://bugs.launchpad.net/bugs/505278 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 505278] Re: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added?
** Changed in: seahorse (Ubuntu) Importance: Undecided = Low -- ssh-add -D deleting all identities does not work. Also, why are all identities auto-added? https://bugs.launchpad.net/bugs/505278 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 505278] Re: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added?
Reported to upstream as https://bugzilla.mindrot.org/show_bug.cgi?id=1695 ** Bug watch added: OpenSSH Portable Bugzilla #1695 https://bugzilla.mindrot.org/show_bug.cgi?id=1695 ** Also affects: openssh via https://bugzilla.mindrot.org/show_bug.cgi?id=1695 Importance: Unknown Status: Unknown -- ssh-add -D deleting all identities does not work. Also, why are all identities auto-added? https://bugs.launchpad.net/bugs/505278 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 505278] Re: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added?
Upstream says that this is security vulnerability. I agree. An important one too! User can have action (like shortcut, screensaver, timeout, whatever) that does ssh-key -D, and he expect that his SSH keys are now secure... while they are still accessible! Upstream also says its most likely a problem with seahorse or other ssh agent; Although when I killed all my agents (seahorse*, ssh-agent) the same problem seemed to exist still - read comments in upstream bug report. ** This bug has been flagged as a security vulnerability -- ssh-add -D deleting all identities does not work. Also, why are all identities auto-added? https://bugs.launchpad.net/bugs/505278 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 505278] Re: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added?
* typo, I ment of course ssh-add -D not ssh-key -- ssh-add -D deleting all identities does not work. Also, why are all identities auto-added? https://bugs.launchpad.net/bugs/505278 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 505278] Re: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added?
** Also affects: seahorse (Ubuntu) Importance: Undecided Status: New -- ssh-add -D deleting all identities does not work. Also, why are all identities auto-added? https://bugs.launchpad.net/bugs/505278 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 505278] Re: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added?
** Attachment added: XsessionErrors.txt http://launchpadlibrarian.net/37658272/XsessionErrors.txt -- ssh-add -D deleting all identities does not work. Also, why are all identities auto-added? https://bugs.launchpad.net/bugs/505278 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 505278] Re: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added?
Confirming: cer...@xango:~/Can$ ssh-add -l 2048 7d:01:74:bd:a6:7f:58:3f:57:e0:1b:da:a0:31:a8:ae hg...@xango2 (RSA) cer...@xango:~/Can$ ssh-add -D All identities removed. cer...@xango:~/Can$ ssh-add -l cer...@xango:~/Can$ apt-cache policy openssh-client openssh-client: Installed: 1:5.2p1-1ubuntu1 Candidate: 1:5.2p1-1ubuntu1 Version table: *** 1:5.2p1-1ubuntu1 0 500 http://archive.ubuntu.com lucid/main Packages 100 /var/lib/dpkg/status cer...@xango:~/Can$ 2048 7d:01:74:bd:a6:7f:58:3f:57:e0:1b:da:a0:31:a8:ae hg...@xango2 (RSA) cer...@xango:~/Canonical$ ** Changed in: openssh (Ubuntu) Importance: Undecided = Low ** Changed in: openssh (Ubuntu) Status: New = Confirmed -- ssh-add -D deleting all identities does not work. Also, why are all identities auto-added? https://bugs.launchpad.net/bugs/505278 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 505278] Re: ssh-add -D deleting all identities does not work. Also, why are all identities auto-added?
Somehow I overwrote part of the above. The test is here: cer...@xango:~/Can$ ssh-add -l 2048 7d:01:74:bd:a6:7f:58:3f:57:e0:1b:da:a0:31:a8:ae hg...@xango2 (RSA) cer...@xango:~/Can$ ssh-add -D All identities removed. cer...@xango:~/Can$ ssh-add -l 2048 7d:01:74:bd:a6:7f:58:3f:57:e0:1b:da:a0:31:a8:ae hg...@xango2 (RSA) cer...@xango:~/Can$ -- ssh-add -D deleting all identities does not work. Also, why are all identities auto-added? https://bugs.launchpad.net/bugs/505278 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
