Ubuntu
openssh package

ssh-agent does not expire key

Bug #252200 reported by Pieter Ennes
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
New
Undecided
Unassigned

Bug Description

When I add an SSH key to ssh-agent the lifetime (-t) parameter seems to be ignored:

$ ssh-add -t 1 /home/pieter/.ssh/id_work
$ ssh-add -l
1024 76:a9:b1:c4:af:ef:b5:b9:6e:39:05:91:c9:a2:b7:89 (DSA)
$ ssh [work]
-->OK

Now I wait, and after 1 second, 1 minute, 1 hour I can still login. However, deleting the key manually:

$ ssh-add -D
All identities removed.

does expire the key correctly:
$ ssh [work]
Permission denied (publickey).

This is risky when you lose a laptop, since the thief has infinite time to login to your hosts. The key should expire after the set expiry time...

Environment:
$ lsb_release -rd
Description: Ubuntu 8.04.1
Release: 8.04

$ apt-cache policy openssh-client
openssh-client:
  Installed: 1:4.7p1-8ubuntu1.2
  Candidate: 1:4.7p1-8ubuntu1.2
  Version table:
 *** 1:4.7p1-8ubuntu1.2 0
        500 http://nl.archive.ubuntu.com hardy-updates/main Packages
        500 http://security.ubuntu.com hardy-security/main Packages
        100 /var/lib/dpkg/status
     1:4.7p1-8ubuntu1 0
        500 http://nl.archive.ubuntu.com hardy/main Packages

Revision history for this message
Christopher Armstrong (radix) wrote :

I can confirm this. It's been like this at least since Hardy.

Revision history for this message
Kenny Millington (kmdm) wrote :

This bug is more than likely a duplicate of: #209447

Can the OP or Chris provide echo $SSH_AUTH_SOCK so we can confirm gnome-keyring-daemon is infact being used?

Revision history for this message
Pieter Ennes (skion) wrote :

Sure:
$ echo $SSH_AUTH_SOCK
/tmp/keyring-6K7vCX/ssh

(currently on intrepid)

Revision history for this message
Kenny Millington (kmdm) wrote :

That's certainly gnome-keyring's socket.

I'm going to go ahead mark this bug a duplicate, for a work around please see bug: #209447.

The work around involves resetting your ssh-agent back to the standard one and not gnome-keyring.

However Intrepid introduced a further bug which stops you from doing this, so for a further workaround you'll also need to see bug: #275010

Hope this helps!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.