Bug 1695

Summary: ssh-add -D does not delete all keys
Product: Portable OpenSSH Reporter: Rafał Maj <rafal.maj.it>
Component: ssh-addAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: major CC: djm, martin.von.wittich
Priority: P2    
Version: 5.2p1   
Hardware: All   
OS: Linux   

Description Rafał Maj 2010-01-10 22:16:18 AEDT
First reported by me as https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/505278

Example:

$ ssh-add -l
2048 7d:01:74:bd:a6:7f:58:3f:57:e0:1b:da:a0:31:a8:ae hggdh@xango2 (RSA)
$ ssh-add -D
All identities removed.
$ ssh-add -l
2048 7d:01:74:bd:a6:7f:58:3f:57:e0:1b:da:a0:31:a8:ae hggdh@xango2 (RSA)

In Ubuntu 9.10 and Lucid (alpha)
Comment 1 Damien Miller 2010-01-10 22:18:16 AEDT
Are you using ssh-agent or the GNOME thing that Ubuntu uses?
Comment 2 Rafał Maj 2010-01-10 22:36:49 AEDT
I was not starting myself the ssh-agent.

It seems ssh-agent is alwasy started for logged in user, on Ubuntu 9.04, like:
/usr/bin/ssh-agent /usr/bin/gpg-agent --daemon --sh --write-env-file=/home/userfoo/.gnupg/gpg-agent-info-lcwood /usr/bin/dbus-launch --exit-with-session /usr/bin/pulse-session /usr/bin/seahorse-agent --execute gnome-session

After killall ssh-agent (and no ps aux ssh-agent for my user) still there is identical problem, ssh -l shows all keys, -D does not change anything.
Comment 3 Damien Miller 2010-01-10 22:42:02 AEDT
ok, so the problem is with whatever ssh-agent that Debian is using (probably seahorse-agent). They aren't using the OpenSSH one.

The problem is not with OpenSSH's ssh-add - it just sends the "delete all keys" message (specified in [1]) and trusts that the agent does the right thing. OpenSSH's certainly does.

I suggest that you follow up with the developers of seahorse-agent - this is a significant security bug as it could leave keys exposed when the user thought they deleted them.

[1] http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/PROTOCOL.agent?rev=HEAD
Comment 4 Rafał Maj 2010-01-10 22:49:35 AEDT
Hmm but killing everything reported by ps aux | grep ssh-agent   and grep seahorse, including dbus session, did not help, still ssh-add -l lists all my keys.

killall seahorse-daemon  seahorse-agent  ssh-agent

If all of this are killed then who is still keeping my keys?
Comment 5 Martin von Wittich 2010-01-18 22:00:02 AEDT
I'm having the same issue on a Fedora 10 machine; Seahorse is not installed and ssh-agent is not running. I believe the buggy agent that is causing this is gnome-keyring-daemon.
Comment 6 Damien Miller 2010-04-16 15:49:38 AEST
Mass move of bugs RESOLVED->CLOSED following the release of openssh-5.5p1