Bug 413278 – Asks for SSH key passphrase although key is not in authorized_keys

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 413278 - Asks for SSH key passphrase although key is not in authorized_keys


Summary:	Asks for SSH key passphrase although key is not in authorized_keys


Status:	RESOLVED FIXED

Product:	seahorse
Classification:	Applications
Component:	general
Version:	git master
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	1.0.0
Assigned To:	Seahorse Maintainer
QA Contact:	Seahorse Maintainer

URL:
Whiteboard:

Duplicates:	430922 (view as bug list)
Depends on:
Blocks:

Reported:	2007-02-28 23:53 UTC by Sebastian Dröge (slomo)
Modified:	2007-11-30 04:34 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Sebastian Dröge (slomo) 2007-02-28 23:53:41 UTC

Hi,

When connecting to a server where the public key is not put in the
authorized keys, the passphrase dialog shows up, while the key won't be
used. After failing to use the key (and bothering the user with the
passphrase) ssh asks for the password.

Without seahorse as an agent, ssh doesn't ask for the passphrase in such
a situation.

Bye

Debian Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=409633

Comment 1 Stef Walter 2007-03-03 21:18:33 UTC

Yes this is a problem. The seahorse SSH agent is currently a proxy for the normal ssh-agent and when it detects that: 

  a) ssh-agent has no keys loaded
  b) ssh wants some key

It tries to load all the keys. This is clearly suboptimal however it'll be hard to fix in the near term. Eventually we need to rethink how the SSH agent support is done and make it far more fine grained.

Comment 2 Christof Krüger 2007-03-13 19:36:12 UTC

I'm not sure if I should file a seperate bug about it.

The problem I see is that seahorse should not popup a GUI passphrase dialog when using ssh at the command line. Today, after typing "ssh someserver.tld" in gnome-terminal, I could not see the dialog (maybe it was invisible, maybe it was just below the console window) and I couldn't move any windows or Alt+TAB. Pressing ESC helped. Seahorse has been holding the keyboard/mouse grab at the moment.

However, my point is not the actual bug of not having the dialog displayed properly but that seahorse should not interfere with cli in the first place.

Comment 3 Stef Walter 2007-03-17 19:34:12 UTC

Christof, you can turn off this behavior under the capplet 'Encryption Preferences' on the tab 'Passphrase Cache'

Comment 4 Stef Walter 2007-05-10 23:47:32 UTC

*** Bug 430922 has been marked as a duplicate of this bug. ***

Comment 5 Josselin Mouette 2007-07-03 16:11:06 UTC

I guess the following bug has the same cause: http://bugs.debian.org/431544

  If ssh-add -l is called from the console, then seahorse tries to
  add all keys available in standard locations. That is considered bad
  behaviour cause ssh-add -l would not do this under normal conditions.

  This behaviour does only occur if seahorse is configured to
  automatically load secure shell keys. Better behaviour would be to add
  keys only if using them (e.g. ssh or scp to a machine).

Comment 6 Adam Schreiber 2007-07-03 16:24:39 UTC

Josselin, thanks for adding the Debian bug.  That's something I can probably track down.

Comment 7 Stef Walter 2007-08-21 02:41:34 UTC

The problem is the that seahorse-agent's SSH support is quick fix hack (mea culpa). I'm currently implementing a proper SSH agent in gnome-keyring-daemon as part of the PKCS#11 key/certificate work. 

So this problem will go away by GNOME 2.22 (which is when the key/certificate store will be included in gnome-keyring).

Comment 8 Stef Walter 2007-11-28 23:33:00 UTC

gnome-keyring now has real SSH agent support in trunk. 

http://live.gnome.org/GnomeKeyring/Ssh

I'll go ahead and remove the SSH agent support from seahorse-agent. How does that sound Adam?

Comment 9 Adam Schreiber 2007-11-28 23:45:54 UTC

Sounds good to me.  Does this result in having an extra daemon running or will it still just be gnome-keyring-daemon, seahorse-agent and seahorse-daemon?

Comment 10 Stef Walter 2007-11-29 16:22:45 UTC

The hack that was once seahorse's SSH agent (really a proxy) has been laid to rest. A new proper SSH agent is available in gnome-keyring trunk (will be in 2.21.3) and I'd love feedback on it if anyone feels so inclined. 

2007-11-29  Stef Walter  <stef@memberwebs.com>

    * agent/Makefile.am:
    * agent/seahorse-agent.h:
    * agent/seahorse-agent-main.c:
    * agent/seahorse-agent-ssh.c:
    * agent/seahorse-agent-status.c:
    * data/seahorse.schemas.in:
    * libseahorse/seahorse-passphrase.c:
    * libseahorse/seahorse-prefs.glade:
    * libseahorse/seahorse-prefs-cache.c: Remove SSH agent, since a proper 
    one now exists in gnome-keyring. Fixes bug #413278

seahorse-agent still has a GPG agent running in it, but I think that in the future that can be migrated to gnome-keyring-daemon. Doing that will allow better integration with the users login and session keyrings. Then we can have one less daemon for keys and passwords.

Comment 11 Sebastian Dröge (slomo) 2007-11-30 04:34:49 UTC

As long as it's still possible to let the GPG key passwords be cached for a configured amount of minutes and have this configured separately from the SSH/other passwords I don't see a reason to not move the GPG password caching to gnome-keyring-daemon ;) But I definitely don't want my GPG key passphrase to be cached at login time...