Bug 2150510 - cannot remove keys from ssh-agent
Summary: cannot remove keys from ssh-agent
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: 37
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Dmitry Belyavskiy
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-12-03 15:19 UTC by Thomas Köller
Modified: 2023-06-15 11:52 UTC (History)
7 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2023-06-15 11:52:55 UTC
Type: Bug
Embargoed:
fedora-admin-xmlrpc: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FC-675 0 None None None 2022-12-03 15:27:40 UTC

Description Thomas Köller 2022-12-03 15:19:17 UTC 
Description of problem:

Removing keys from ssh-agent does not work:

[thomas@sarkovy .ssh]$ ls
ca_key	ca_key.pub  host_key  host_key.pub  user_key  user_key.pub
[thomas@sarkovy .ssh]$ ssh-add -l
256 SHA256:WXrds3toVaf16i8gZs0lBroHuiSqX6MYXnQl2hogRis Host key (ED25519)
256 SHA256:Fq20YtHavHvF5pNhZC8a/ivpmkemeEFlxVjOlmFy6MI User key (ED25519)
256 SHA256:zxQ9IdMp7CJZ9MeR7e+HLdne/4WxfLkhOUJujotraT8 CA signing key (ED25519)
[thomas@sarkovy .ssh]$ ssh-add -d user_key.pub
Could not remove identity "user_key.pub": agent refused operation
[thomas@sarkovy .ssh]$ ssh-add -l
256 SHA256:WXrds3toVaf16i8gZs0lBroHuiSqX6MYXnQl2hogRis Host key (ED25519)
256 SHA256:Fq20YtHavHvF5pNhZC8a/ivpmkemeEFlxVjOlmFy6MI User key (ED25519)
256 SHA256:zxQ9IdMp7CJZ9MeR7e+HLdne/4WxfLkhOUJujotraT8 CA signing key (ED25519)
[thomas@sarkovy .ssh]$ ssh-add -D
All identities removed.
[thomas@sarkovy .ssh]$ ssh-add -l
256 SHA256:WXrds3toVaf16i8gZs0lBroHuiSqX6MYXnQl2hogRis Host key (ED25519)
256 SHA256:Fq20YtHavHvF5pNhZC8a/ivpmkemeEFlxVjOlmFy6MI User key (ED25519)
256 SHA256:zxQ9IdMp7CJZ9MeR7e+HLdne/4WxfLkhOUJujotraT8 CA signing key (ED25519)



Version-Release number of selected component (if applicable):

8.8p1-7.fc37

How reproducible:

always

Steps to Reproduce:

See above

Actual results:

Keys are not removed


Expected results:

Keys should be removed


Additional info:

It seems that creating a new key via ssh-keygen automatically adds it to ssh-agent. AFAICT this behavior is not mentioned anywhere in the man pages, and it exacerbates the problem.
Comment 1 Jakub Jelen 2023-06-15 11:52:55 UTC 
You are not running ssh-agent, but gnome-keyring, which for convenince lists all the keys that you have in default location.

```
$ echo $SSH_AUTH_SOCK
/run/user/1000/keyring/ssh
```

If the keys have passphrase and you do not have them stored somewhere (in the keyring), it will prompt for the passphrase the first time you use the key. This is documented in manual page for gnome-keyring-daemon:

> The daemon also implements a GnuPG and SSH agent both of which automatically load the user's keys, and prompt for passwords when necessary.

This is not a bug. Sorry it took too long to come back with the answer.
Note You need to log in before you can comment on or make changes to this bug.