Bug 2150510

Summary: cannot remove keys from ssh-agent
Product: [Fedora] Fedora Reporter: Thomas Köller <thomas>
Component: opensshAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 37CC: crypto-team, dbelyavs, dwalsh, jjelen, lkundrak, mattias.ellert, tm
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-15 11:52:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Thomas Köller 2022-12-03 15:19:17 UTC 
Description of problem:

Removing keys from ssh-agent does not work:

[thomas@sarkovy .ssh]$ ls
ca_key	ca_key.pub  host_key  host_key.pub  user_key  user_key.pub
[thomas@sarkovy .ssh]$ ssh-add -l
256 SHA256:WXrds3toVaf16i8gZs0lBroHuiSqX6MYXnQl2hogRis Host key (ED25519)
256 SHA256:Fq20YtHavHvF5pNhZC8a/ivpmkemeEFlxVjOlmFy6MI User key (ED25519)
256 SHA256:zxQ9IdMp7CJZ9MeR7e+HLdne/4WxfLkhOUJujotraT8 CA signing key (ED25519)
[thomas@sarkovy .ssh]$ ssh-add -d user_key.pub
Could not remove identity "user_key.pub": agent refused operation
[thomas@sarkovy .ssh]$ ssh-add -l
256 SHA256:WXrds3toVaf16i8gZs0lBroHuiSqX6MYXnQl2hogRis Host key (ED25519)
256 SHA256:Fq20YtHavHvF5pNhZC8a/ivpmkemeEFlxVjOlmFy6MI User key (ED25519)
256 SHA256:zxQ9IdMp7CJZ9MeR7e+HLdne/4WxfLkhOUJujotraT8 CA signing key (ED25519)
[thomas@sarkovy .ssh]$ ssh-add -D
All identities removed.
[thomas@sarkovy .ssh]$ ssh-add -l
256 SHA256:WXrds3toVaf16i8gZs0lBroHuiSqX6MYXnQl2hogRis Host key (ED25519)
256 SHA256:Fq20YtHavHvF5pNhZC8a/ivpmkemeEFlxVjOlmFy6MI User key (ED25519)
256 SHA256:zxQ9IdMp7CJZ9MeR7e+HLdne/4WxfLkhOUJujotraT8 CA signing key (ED25519)



Version-Release number of selected component (if applicable):

8.8p1-7.fc37

How reproducible:

always

Steps to Reproduce:

See above

Actual results:

Keys are not removed


Expected results:

Keys should be removed


Additional info:

It seems that creating a new key via ssh-keygen automatically adds it to ssh-agent. AFAICT this behavior is not mentioned anywhere in the man pages, and it exacerbates the problem.
Comment 1 Jakub Jelen 2023-06-15 11:52:55 UTC 
You are not running ssh-agent, but gnome-keyring, which for convenince lists all the keys that you have in default location.

```
$ echo $SSH_AUTH_SOCK
/run/user/1000/keyring/ssh
```

If the keys have passphrase and you do not have them stored somewhere (in the keyring), it will prompt for the passphrase the first time you use the key. This is documented in manual page for gnome-keyring-daemon:

> The daemon also implements a GnuPG and SSH agent both of which automatically load the user's keys, and prompt for passwords when necessary.

This is not a bug. Sorry it took too long to come back with the answer.