Page MenuHome GnuPG
Create Task
Maniphest T3284

ssh-add -D does not return an error as it should.
Closed, WontfixPublic
Actions

Description

gnupg-agent when run with --enable-ssh-support doesn't seem to have any easy way to 'forget' ssh keys and smartcard pin's.

From the man page you would think sending a SIGHUP would do it, but it doesn't seem to have any effect.

Additionally, 'ssh-add -D' says it deleted all identities, but they just reappear when you next use ssh.

You can do:

gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye

to get it to re-ask your pin for the key, but thats hardly user friendly.

Event Timeline

t8m created this task.Jul 18 2017, 3:11 PM
t8m created this object in space S1 Public.
justus triaged this task as Normal priority.Jul 18 2017, 3:40 PM
justus edited projects, added gnupg (gpg22), Documentation; removed gnupg (gpg21).
justus added a subscriber: justus.

There are two issues here.

gnupg-agent when run with --enable-ssh-support doesn't seem to have any easy way to 'forget' ssh keys and smartcard pin's.

From the man page you would think sending a SIGHUP would do it, but it doesn't seem to have any effect.
[...]
You can do:

gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye

to get it to re-ask your pin for the key, but thats hardly user friendly.

From this I gather that you are using a key stored on a smart card. Then, it is the smart card daemon that caches the passphrase, not gpg-agent.

Additionally, 'ssh-add -D' says it deleted all identities, but they just reappear when you next use ssh.

I agree that it should not signal success when it did in fact nothing. The interesting question here is: What should gpg-agent do?

  • ssh-agent is stateless, it is started without any keys, and then keys can be added and removed from it.
  • gpg-agent has state. When started, it reads keys from the disk, you can add keys to it, but removing keys is a bit problematic, because gpg-agent does not know whether the key you added is part of other keys.
werner added a subscriber: werner.Jul 18 2017, 4:07 PM

Note that you can do

gpg-connect-agent 'keyinfo --ssh-list' /bye

to list all ssh keys known to gpg-agent. Use 'help keyinfo' for other listing options. To delete a key you would then use

gpg-connect-agent 'delete_key KEYGRIP' /bye

The keygrip is what keyinfo shows you.

justus added a comment.Jul 18 2017, 4:11 PM

But that is not very user friendly. I wasn't aware of that way to list and delete keys for example.

We could honor ssh-add -d and ssh-add -D by disabling the keys in sshcontrol.

werner closed this task as Resolved.Jul 19 2017, 5:38 PM
werner claimed this task.

No. gpg-agent is a different implementation of the ssh-agent protocol than ssh-agent. Making the keys persistent is on purpose.

There is also the confirm flag in ~/.gnupg/sshcontrol - see the FILES section in gpg-agent(1)

justus reopened this task as Open.Jul 19 2017, 5:43 PM
In T3284#100822, @werner wrote:

No. gpg-agent is a different implementation of the ssh-agent protocol than ssh-agent. Making the keys persistent is on purpose.

I understand that. However, if the user does 'ssh-add -D' -- 'Deletes all identities from the agent.', we signal success while doing nothing. That seems wrong.

We could either

  • disable the key for the use of ssh (in the spirit of deleting the identities from the agent, or
  • signal an error, simply because we do not support this operation.
werner lowered the priority of this task from Normal to Wishlist.Oct 24 2017, 9:00 AM
werner edited projects, added gnupg (gpg23); removed gnupg (gpg22).

We could signal an error. However, that would break existing behaviour and can only be done for 2.3.

werner renamed this task from gnupg-agent ignores SIGHUP in ssh-agent mode to ssh-add -D does not return an error as it should..Oct 24 2017, 9:00 AM
werner removed werner as the assignee of this task.
werner closed this task as Wontfix.Feb 10 2021, 11:42 AM
werner claimed this task.

Won't be done because the expectations of users are different on whether they use ssh-agent or gpg-agent. And it breaks scripts