openssh bugs - Jan 2010 - [Bug 1695] New: ssh-add -D does not delete all keys

https://bugzilla.mindrot.org/show_bug.cgi?id=1695

           Summary: ssh-add -D does not delete all keys
           Product: Portable OpenSSH
           Version: 5.2p1
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: major
          Priority: P2
         Component: ssh-add
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: rafal.maj.it at gmail.com


First reported by me as
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/505278

Example:

$ ssh-add -l
2048 7d:01:74:bd:a6:7f:58:3f:57:e0:1b:da:a0:31:a8:ae hggdh at xango2 (RSA)
$ ssh-add -D
All identities removed.
$ ssh-add -l
2048 7d:01:74:bd:a6:7f:58:3f:57:e0:1b:da:a0:31:a8:ae hggdh at xango2 (RSA)

In Ubuntu 9.10 and Lucid (alpha)

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1695

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> 2010-01-10 22:18:16
EST ---
Are you using ssh-agent or the GNOME thing that Ubuntu uses?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1695

--- Comment #2 from Rafa? Maj <rafal.maj.it at gmail.com> 2010-01-10
22:36:49 EST ---
I was not starting myself the ssh-agent.

It seems ssh-agent is alwasy started for logged in user, on Ubuntu
9.04, like:
/usr/bin/ssh-agent /usr/bin/gpg-agent --daemon --sh
--write-env-file=/home/userfoo/.gnupg/gpg-agent-info-lcwood
/usr/bin/dbus-launch --exit-with-session /usr/bin/pulse-session
/usr/bin/seahorse-agent --execute gnome-session

After killall ssh-agent (and no ps aux ssh-agent for my user) still
there is identical problem, ssh -l shows all keys, -D does not change
anything.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1695

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WORKSFORME

--- Comment #3 from Damien Miller <djm at mindrot.org> 2010-01-10 22:42:02
EST ---
ok, so the problem is with whatever ssh-agent that Debian is using
(probably seahorse-agent). They aren't using the OpenSSH one.

The problem is not with OpenSSH's ssh-add - it just sends the "delete
all keys" message (specified in [1]) and trusts that the agent does the
right thing. OpenSSH's certainly does.

I suggest that you follow up with the developers of seahorse-agent -
this is a significant security bug as it could leave keys exposed when
the user thought they deleted them.

[1]
http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/PROTOCOL.agent?rev=HEAD

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1695

Rafa? Maj <rafal.maj.it at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|WORKSFORME                  |FIXED

--- Comment #4 from Rafa? Maj <rafal.maj.it at gmail.com> 2010-01-10
22:49:35 EST ---
Hmm but killing everything reported by ps aux | grep ssh-agent   and
grep seahorse, including dbus session, did not help, still ssh-add -l
lists all my keys.

killall seahorse-daemon  seahorse-agent  ssh-agent

If all of this are killed then who is still keeping my keys?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1695

Martin von Wittich <martin.von.wittich at iserv.eu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |martin.von.wittich at iserv.eu

--- Comment #5 from Martin von Wittich <martin.von.wittich at iserv.eu>
2010-01-18 22:00:02 EST ---
I'm having the same issue on a Fedora 10 machine; Seahorse is not
installed and ssh-agent is not running. I believe the buggy agent that
is causing this is gnome-keyring-daemon.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1695

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #6 from Damien Miller <djm at mindrot.org> 2010-04-16 15:49:38
EST ---
Mass move of bugs RESOLVED->CLOSED following the release of
openssh-5.5p1

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.