Comment 1 for bug 214679

I have also noticed confusing behavior on the part of ssh-agent and ssh-add now that gnome-keyring is intervening in the management of ssh keys. Packages:

gnome-keyring 2.22.1-1
gnome-keyring-manager 2.20.0-0ubuntu2
openssh-client 1:4.7p1-8ubuntu1

Here's a scenario. I've replaced all actual fingerprints with [fingerprint1]. (It's been a while since I've read the details of public key crypto so I don't remember what is sensitive from what is not. I don't know whether fingerprints are sensitive... Better safe than sorry.)

1.

$ ssh-add -l
[ssh-add gnome-keyring pops a dialog asking for a password. I enter the password for my ssh identities.]
1024 [fingerprint1] (DSA)

2.

$ ssh-add -l
1024 [fingerprint1] (DSA)

3.

$ ssh-add -D
All identities removed.

4.

$ ssh-add -l
1024 [fingerprint1] (DSA)

5.

$ ssh [to some host for which the key listed by ssh-add -l should allow login]
[At this point ssh asks for the password to unlock the key listed in step 4!]

I see two problems:

A. Like Andrew reported, deleting a key with ssh-add -D does delete it from the agent, as evidenced by steps 3 and 5, but it is still listed as present (step 4)! This breaks some of my scripts which rely on ssh-add -l to know whether a key is present or not.

B. When there are no keys whatsoever in the agent, in step 1 above, running "ssh-add -l" makes gnome-keyring ask for a password. This also breaks scripts which are supposed to run non-interactively. I've designed my scripts to fail silently if the needed keys are missing. (It makes sense to do that for the purposes I have with those scripts.) But the way ssh-add and gnome-keyring interact my scripts are no longer able to fail silently. I get a prompt in my face when they try to check whether keys are present.