Public bug reported:
Since Ubuntu 24.04 (at least compared to LTS Ubuntu 22.04), GPG agent
now functions as SSH agent. Not only does this have the problem of not
being able to unload keys with 'ssh-add -d|-D' (which is very
impractical if you keep changing who you are to git servers (like
[email protected]), but this has security considerations. I unwittingly
stored my encrypted SSH key in plain text on my disk. And I think I'm
not the only one.
I did:
ssh-add
[typed passphrase]
Gpg-agent subsequently asked me to set a password (double password entry
prompt). I was in a 'go away' mindset, and just pressed enter (which didn't
protest). Unknowingly at first, this caused my SSH private to be stored
unencrypted in '~/.gnupg/private-keys-v1.d'.
I think it's very unexpected behavior that the command 'ssh-add' causes
your key to be copied elsewhere on disk, but I think it's a security
concern that 'ssh-add' now can remove the passphrase from your key. As a
user, you don't expect that of 'ssh-add', no matter how you answer any
prompts.
The semantics of ssh-add now has also changed to a one-time command. It
now means 'copy-key-to-gpg-agent', instead of 'load my key until I shut
down my PC'.
I don't know what the fix should be, because it touches to many moving
parts, but I can at least say that the previous behavior was better for
me in all ways.
** Affects: ubuntu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2096980
Title:
Gpg-agent as SSH agent: encrypted SSH key ends up decrypted on disk
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/2096980/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
