Matthew Boedicker
2016-Jan-01 21:43 UTC
removing keys from ssh-agent without having key file
ssh-agent does not allow you to remove individual keys without having the key file that was added. To remove these keys the user must remove all keys with ssh-add -D. Would a patch to make ssh-add skip the existence check for the file be considered? The specific use case is that a USB drive is mounted with the key, the key is added to the agent then the USB drive is unmounted.
Dustin Lundquist
2016-Jan-01 23:27 UTC
removing keys from ssh-agent without having key file
I've ran into a similar situation. Looking at PROTOCOL.agent for SSH version 2, you can obtain the key blob with SSH2_AGENTC_REQUEST_IDENTITIES, and remove that identity with SSH2_AGENTC_REMOVE_IDENTITY. This means with within the SSH agent protocol the key files are not needed to remove the key. I have another user case for this functionality: I've written a SSH agent proxy which permits authorized users access to a common set of identities, and in some cases a user has access to too many identities to complete authentication in the permitted number of authentication attempts. In this case the proxy would not remove the shared identity, but temporarily block it from that users view. Dustin Lundquist On Fri, Jan 1, 2016 at 9:43 PM, Matthew Boedicker <matthewm at boedicker.org> wrote:> ssh-agent does not allow you to remove individual keys without having the > key file that was added. To remove these keys the user must remove all keys > with ssh-add -D. > > Would a patch to make ssh-add skip the existence check for the file be > considered? > > The specific use case is that a USB drive is mounted with the key, the key > is added to the agent then the USB drive is unmounted. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
On Fri, 1 Jan 2016, Matthew Boedicker wrote:> ssh-agent does not allow you to remove individual keys without having the > key file that was added. To remove these keys the user must remove all keys > with ssh-add -D.No, you only need the public key and you can get that from the agent itself if you don't happen to have it laying around. [djm at fuyu tmp]$ ssh-keygen -q -t ed25519 -f k1 -N '' [djm at fuyu tmp]$ ssh-keygen -q -t ed25519 -f k2 -N '' [djm at fuyu tmp]$ ssh-add k1 k2 Identity added: k1 (djm at fuyu.mindrot.org) Identity added: k2 (djm at fuyu.mindrot.org) [djm at fuyu tmp]$ ssh-add -L ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJmyuVthrSvC6RMly/gJyAd1oFo8NggUUAV0JKvW9V4 djm at fuyu.mindrot.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFk1eV8abvdBGAJINxDZ2fK9btsLUlHmPL9DPBDhh/MP djm at fuyu.mindrot.org [djm at fuyu tmp]$ rm k1* k2* [djm at fuyu tmp]$ ssh-add -L | head -1 > k1.pub [djm at fuyu tmp]$ ssh-add -d k1 Identity removed: k1 (djm at fuyu.mindrot.org) [djm at fuyu tmp]$ ssh-add -L ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFk1eV8abvdBGAJINxDZ2fK9btsLUlHmPL9DPBDhh/MP djm at fuyu.mindrot.org -d
Matthew Boedicker
2016-Jan-04 07:59 UTC
removing keys from ssh-agent without having key file
Thanks Damien. It's good to know that this is possible and how to do it. It might be nice if ssh-add did this for you during ssh-add -d. Is there any reason it couldn't always get the key blob from the agent and send it back for removal instead of using the filesystem? On Sun, Jan 3, 2016 at 11:25 PM, Damien Miller <djm at mindrot.org> wrote:> On Fri, 1 Jan 2016, Matthew Boedicker wrote: > > > ssh-agent does not allow you to remove individual keys without having the > > key file that was added. To remove these keys the user must remove all > keys > > with ssh-add -D. > > No, you only need the public key and you can get that from the agent > itself if you don't happen to have it laying around. > > [djm at fuyu tmp]$ ssh-keygen -q -t ed25519 -f k1 -N '' > [djm at fuyu tmp]$ ssh-keygen -q -t ed25519 -f k2 -N '' > [djm at fuyu tmp]$ ssh-add k1 k2 > Identity added: k1 (djm at fuyu.mindrot.org) > Identity added: k2 (djm at fuyu.mindrot.org) > [djm at fuyu tmp]$ ssh-add -L > ssh-ed25519 > AAAAC3NzaC1lZDI1NTE5AAAAIKJmyuVthrSvC6RMly/gJyAd1oFo8NggUUAV0JKvW9V4 > djm at fuyu.mindrot.org > ssh-ed25519 > AAAAC3NzaC1lZDI1NTE5AAAAIFk1eV8abvdBGAJINxDZ2fK9btsLUlHmPL9DPBDhh/MP > djm at fuyu.mindrot.org > [djm at fuyu tmp]$ rm k1* k2* > [djm at fuyu tmp]$ ssh-add -L | head -1 > k1.pub > [djm at fuyu tmp]$ ssh-add -d k1 > Identity removed: k1 (djm at fuyu.mindrot.org) > [djm at fuyu tmp]$ ssh-add -L > ssh-ed25519 > AAAAC3NzaC1lZDI1NTE5AAAAIFk1eV8abvdBGAJINxDZ2fK9btsLUlHmPL9DPBDhh/MP > djm at fuyu.mindrot.org > > -d >