GNOME Bugzilla – Bug 549413
Allow marking of keys as not loadable by SSH.
Last modified: 2021-06-18 10:40:44 UTC
Initially reported as bug 261375 in launchpad: https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/261375 When gnome-keyring is used as the ssh-agent, "ssh-add -l" should only list keys which are actually loaded. Instead, it always lists the fingerprint of ~/.ssh/id_rsa, in addition to any loaded keys. If ~/.ssh/id_rsa is loaded, it is listed twice. After logging in with no keys loaded: [johnc@loki ~/]$ ssh-add -l 1024 9c:c3:8d:34:09:9e:4d:0f:ca:b5:aa:84:d8:6b:f7:8b (RSA) Adding the key: [johnc@loki ~]$ ssh-add Enter passphrase for /home/johnc/.ssh/id_rsa: Identity added: /home/johnc/.ssh/id_rsa (/home/johnc/.ssh/id_rsa) [johnc@loki ~/]$ ssh-add -l 1024 9c:c3:8d:34:09:9e:4d:0f:ca:b5:aa:84:d8:6b:f7:8b (RSA) 1024 9c:c3:8d:34:09:9e:4d:0f:ca:b5:aa:84:d8:6b:f7:8b (RSA) Removing all keys: [johnc@loki ~]$ ssh-add -D All identities removed. [johnc@loki ~/]$ ssh-add -l 1024 9c:c3:8d:34:09:9e:4d:0f:ca:b5:aa:84:d8:6b:f7:8b (RSA) Moving ~/.ssh/id_rsa away: [johnc@loki ~]$ mv .ssh/id_rsa .ssh/xxx [johnc@loki ~]$ ssh-add -l The agent has no identities. OpenSSH's ssh-agent correctly lists only those keys which are actually loaded: [johnc@loki ~]$ bash [johnc@loki ~]$ eval `ssh-agent` Agent pid 24398 [johnc@loki ~]$ ssh-add -l The agent has no identities. [johnc@loki ~]$ ssh-add Enter passphrase for /home/johnc/.ssh/id_rsa: Identity added: /home/johnc/.ssh/id_rsa (/home/johnc/.ssh/id_rsa) [johnc@loki ~]$ ssh-add -l 1024 9c:c3:8d:34:09:9e:4d:0f:ca:b5:aa:84:d8:6b:f7:8b /home/johnc/.ssh/id_rsa (RSA) [johnc@loki ~]$ ssh-add -D All identities removed. [johnc@loki ~]$ ssh-add -l The agent has no identities.
Yes that is the behavior of the gnome-keyring SSH agent. It makes public SSH keys available for login to remote computers without you having to explicitly load them. It'll still prompt you for the password if your private key is encrypted. In the future a GUI will exist to change this behavior on a key by key basis. I'm reappropriating this bug to track progress on that feature. However until then, if you'd rather have the OpenSSH manual key loading behavior, then you can disable the gnome-keyring SSH agent: http://live.gnome.org/GnomeKeyring/Ssh
Thanks, I know what the agent does. It only prompts for the passphrase when loading the key, either because I run ssh-add or because I try to connect to a remote host. It does not, and should not, prompt for the passphrase when simply listing keys. See bug I can understand the agent listing the key as being available if it doesn't have a passphrase. I'm not sure I agree with the behaviour, but I can see arguments for and against it, and there's no real harm in it :-) If, however, the key has a passphrase, it should not be listed unless it is actually loaded into the agent. Until it has been loaded, it is not available for use. Showing as being available is simply wrong.
Also, listing ~/.ssh/id_rsa twice if it is loaded is also wrong. It should only be listed once.
(In reply to comment #2) > If, however, the key has a passphrase, it should not be listed unless it is > actually loaded into the agent. Until it has been loaded, it is not available > for use. Showing as being available is simply wrong. The way to get the gnome-keyring ssh-agent to prompt for a key password when needed (ie: automatically 'load' it), is to make the public key available for servers to use in the challenge response. This is the way SSH protocol works. Again, the fundamental behavior of the gnome-keyring agent is to make public keys available for authentication and load the private key later (possibly prompting for the password at that point). If you prefer the a manual load behavior SSH agent then ssh-agent from openssh may be more to your liking. That said you may have a better understanding of SSH than I. If you have code available which allows authentication to a public key without first making it available via the agent, then please post it and we can work on getting it included in gnome-keyring.
(In reply to comment #1) > Yes that is the behavior of the gnome-keyring SSH agent. It makes public SSH > keys available for login to remote computers (In reply to comment #4) > The way to get the gnome-keyring ssh-agent to prompt for a key password when > needed (ie: automatically 'load' it), is to make the public key available for > servers to use in the challenge response. This is the way SSH protocol works. I should point out that it is the private key that is used to login to a remote computer, not the public key. The public key is what goes into the $HOME/.ssh/authorized_keys file on the remote system; it is akin to a PGP public key used to verify a digital signature [that was, of course, produced using a private key]. > Again, the fundamental behavior of the gnome-keyring agent is to make public > keys available for authentication and load the private key later (possibly > prompting for the password at that point). Public keys are not used for authentication (at least not on the side that initiates an SSH connection). You can't do anything useful with them, unless you're Bob and you want to verify that Alice has the corresponding private key. It is the private keys, and the private keys alone, that are relevant to an SSH agent. I could do "rm ~/.ssh/id_*.pub" and the agent should not care. > That said you may have a better understanding of SSH than I. If you have code > available which allows authentication to a public key without first making it > available via the agent, then please post it and we can work on getting it > included in gnome-keyring. I'd like to answer this request, but I'm not sure what is being requested...
(In reply to comment #0) > If ~/.ssh/id_rsa is loaded, it is listed twice. I've noticed this too, and this appears to be the reason behind one of my own Launchpad bugs: https://bugs.launchpad.net/bugs/1131362
GNOME is going to shut down bugzilla.gnome.org in favor of gitlab.gnome.org. As part of that, we are mass-closing older open tickets in bugzilla.gnome.org which have not seen updates for a longer time (resources are unfortunately quite limited so not every ticket can get handled). If you can still reproduce the situation described in this ticket in a recent and supported software version, then please follow https://wiki.gnome.org/GettingInTouch/BugReportingGuidelines and create a new ticket at https://gitlab.gnome.org/GNOME/gnome-keyring/-/issues/ Thank you for your understanding and your help.