GNOME Bugzilla – Bug 617527
[RFE] Limit lifetime of added identities to ssh-agent
Last modified: 2018-03-10 05:10:40 UTC
(Originally filed as https://bugzilla.redhat.com/show_bug.cgi?id=588080) "There appears to be no preference available for gnome-keyring-daemon to have it destroy unlocked key materials such as ssh private keys after a certain period of elapsed or idle time. It would be nice if, like sudo, such unlocked keys were optionally time-limited. See ssh-agent -t LIFETIME."
The prompt dialog now supports this. However it's not hooked up for all SSH keys yet. In the meantime we do support lifetimes via ssh-add as well.
gnome-keyring-3.18.3-1.fc23.x86_64 I don't see any option for expiration in either gnome-keyring UI, or in the dialog that appears when I use Terminal to ssh into a server using PKA. The biggest problem I have is that it doesn't expire when the system is suspended or hibernated. So all someone has to do is bypass the screen lock, and they now have access, without any additional passwords, to any computers I have keys for. I think the equivalent of ssh-add -D needs to be used anytime the system suspends or hibernates (on a timer or manually) for sure; and ideally also anytime the lock screen timer is reached. That should be the default. If someone wants to have an override so that their keys are always unlocked anytime the user session is available, that's fine. But I'm comfortable with no UI at all, and just deleting these identities anytime there's every good reason to think the user is no longer at the computer and someone else who shouldn't have privileged access might be.
gnome-keyring should just wrap stock ssh-agent to solve this problem: https://bugzilla.gnome.org/show_bug.cgi?id=775981