gnome-keyring has unusual behaviour compared to ssh-agent
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gnome-keyring (Ubuntu) |
Invalid
|
Medium
|
Ubuntu Desktop Bugs |
Bug Description
Using gnome-keyring-
Firstly, the output of an "ssh-add -l" reports the private key is already loaded as soon as you login. In actual fact, the first time you try to do something that requires use of it, a passphrase dialog is popped up. Fair enough.
"ssh-add -D" does what you'd expect, except the output of "ssh-add -l" is unchanged. i.e. it still reports the key as being loaded. Subsequent key access reprompts for the passphrase, so the behaviour of "ssh-add -D" is correct, but the output of "ssh-add -l" is somewhat counter-intuitive.
Explicitly calling ssh-add, adds my DSA key a second time, as well as my RSA1, which was omitted at login. So now "ssh-add -l" lists my key twice. Subsequently calling "ssh-add -D" removes the keys explicitly added by ssh-add, but leaves the original DSA key that was presumably added at login.
I can see all of this behaviour breaking scripts that want to interrogate the SSH agent to determine if keys are loaded or not. Previously, if a key appeared in the output of "ssh-add -l", it could be assumed to be accessible, now, that isn't the case.
apollock@
Enter passphrase for /home/apollock/
Identity added: /home/apollock/
Identity added: /home/apollock/
apollock@
1024 37:25:54:
1024 00:f7:e3:
1024 00:f7:e3:
apollock@
All identities removed.
apollock@
1024 00:f7:e3:
I have also noticed confusing behavior on the part of ssh-agent and ssh-add now that gnome-keyring is intervening in the management of ssh keys. Packages:
gnome-keyring 2.22.1-1 manager 2.20.0-0ubuntu2
gnome-keyring-
openssh-client 1:4.7p1-8ubuntu1
Here's a scenario. I've replaced all actual fingerprints with [fingerprint1]. (It's been a while since I've read the details of public key crypto so I don't remember what is sensitive from what is not. I don't know whether fingerprints are sensitive... Better safe than sorry.)
1.
$ ssh-add -l
[ssh-add gnome-keyring pops a dialog asking for a password. I enter the password for my ssh identities.]
1024 [fingerprint1] (DSA)
2.
$ ssh-add -l
1024 [fingerprint1] (DSA)
3.
$ ssh-add -D
All identities removed.
4.
$ ssh-add -l
1024 [fingerprint1] (DSA)
5.
$ ssh [to some host for which the key listed by ssh-add -l should allow login]
[At this point ssh asks for the password to unlock the key listed in step 4!]
I see two problems:
A. Like Andrew reported, deleting a key with ssh-add -D does delete it from the agent, as evidenced by steps 3 and 5, but it is still listed as present (step 4)! This breaks some of my scripts which rely on ssh-add -l to know whether a key is present or not.
B. When there are no keys whatsoever in the agent, in step 1 above, running "ssh-add -l" makes gnome-keyring ask for a password. This also breaks scripts which are supposed to run non-interactively. I've designed my scripts to fail silently if the needed keys are missing. (It makes sense to do that for the purposes I have with those scripts.) But the way ssh-add and gnome-keyring interact my scripts are no longer able to fail silently. I get a prompt in my face when they try to check whether keys are present.