Bug 2046

Summary: ssh-add -d does not drop certificate
Product: Portable OpenSSH Reporter: Ondrej Caletka <ondrej>
Component: ssh-addAssignee: Damien Miller <djm>
Status: CLOSED FIXED    
Severity: trivial    
Priority: P5    
Version: 6.1p1   
Hardware: All   
OS: Linux   
Bug Depends on:    
Bug Blocks: 2035    
Attachments:
Description Flags
Make ssh-add -d remove certificate too none

Description Ondrej Caletka 2012-11-02 01:37:58 AEDT 
When using ssh-add -d to drop keys previously learned by invoking ssh-add without arguments, only raw key is dropped even if there is also a certificate in ~/.ssh/id_rsa-cert.pub.

As I see the purpose of -d switch is to undo previous ssh-add command, I think the correct behaviour is to drop the certificate as well.
Comment 1 Damien Miller 2012-11-09 10:49:41 AEDT 
Created attachment 2193 [details]
Make ssh-add -d remove certificate too

Right.

It is possible to remove a cert by explicitly listing its *-cert.pub file, but this isn't symmetric with ssh-add's behaviour and is therefore not what users would reasonably expect.

This patch makes ssh-add -d remove both the plain key and the corresponding certificate. It also makes -d respect the recently-added -k option to allow selectively removing just the key.
Comment 2 Damien Miller 2012-12-03 11:01:58 AEDT 
Applied - this will be in openssh-6.2, due early next year
Comment 3 Damien Miller 2013-03-22 12:02:15 AEDT 
mark bugs closed by openssh-6.2 release as CLOSED