After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 617527 - [RFE] Limit lifetime of added identities to ssh-agent
[RFE] Limit lifetime of added identities to ssh-agent
Status: RESOLVED FIXED
Product: gnome-keyring
Classification: Core
Component: general
2.30.x
Other Linux
: Normal enhancement
: ---
Assigned To: GNOME keyring maintainer(s)
GNOME keyring maintainer(s)
Depends on: 775981
Blocks:
 
 
Reported: 2010-05-03 13:53 UTC by Tomas Bzatek
Modified: 2018-03-10 05:10 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description Tomas Bzatek 2010-05-03 13:53:22 UTC
(Originally filed as https://bugzilla.redhat.com/show_bug.cgi?id=588080)

"There appears to be no preference available for gnome-keyring-daemon
to have it destroy unlocked key materials such as ssh private keys after a 
certain period of elapsed or idle time.  It would be nice if, like sudo,
such unlocked keys were optionally time-limited.  See ssh-agent -t LIFETIME."
Comment 1 Stef Walter 2010-05-05 14:32:18 UTC
The prompt dialog now supports this. However it's not hooked up for all SSH keys yet. In the meantime we do support lifetimes via ssh-add as well.
Comment 2 Chris Murphy 2016-01-31 21:22:19 UTC
gnome-keyring-3.18.3-1.fc23.x86_64

I don't see any option for expiration in either gnome-keyring UI, or in the dialog that appears when I use Terminal to ssh into a server using PKA.

The biggest problem I have is that it doesn't expire when the system is suspended or hibernated. So all someone has to do is bypass the screen lock, and they now have access, without any additional passwords, to any computers I have keys for.

I think the equivalent of ssh-add -D needs to be used anytime the system suspends or hibernates (on a timer or manually) for sure; and ideally also anytime the lock screen timer is reached. That should be the default. If someone wants to have an override so that their keys are always unlocked anytime the user session is available, that's fine. But I'm comfortable with no UI at all, and just deleting these identities anytime there's every good reason to think the user is no longer at the computer and someone else who shouldn't have privileged access might be.
Comment 3 Stef Walter 2016-12-12 12:59:47 UTC
 gnome-keyring should just wrap stock ssh-agent to solve this problem:

https://bugzilla.gnome.org/show_bug.cgi?id=775981