Debian Bug report logs -
#472477
ssh-add -D does not remove SSH key from gnome-keyring-daemon memory
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Ondřej Surý <ondrej@debian.org>:
Bug#472477; Package gnome-keyring.
(full text, mbox, link).
Acknowledgement sent to Arnaud Cornet <acornet@debian.org>:
New Bug report received and forwarded. Copy sent to Ondřej Surý <ondrej@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: gnome-keyring
Version: 2.22.0-2
Severity: important
Steps to reproduce:
# ssh-add -l
1024 XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
# ssh-add -D
All identities removed.
# ssh-add -l
1024 XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
I am still able to log in with this key afterwards.
This is a security issue since gnome-keyring-daemon seems to have
transparently taken over ssh-agent. One might think he's key is unloaded
after a ssh-add -D while it's not.
I cannot even find a way to remove the key in gnome-keyring-manager GUI.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.24-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages gnome-keyring depends on:
ii gconf2 2.22.0-1 GNOME configuration database syste
ii libatk1.0-0 1.22.0-1 The ATK accessibility toolkit
ii libc6 2.7-9 GNU C Library: Shared libraries
ii libcairo2 1.4.14-1 The Cairo 2D vector graphics libra
ii libdbus-1-3 1.1.20-1 simple interprocess messaging syst
ii libgconf2-4 2.22.0-1 GNOME configuration database syste
ii libgcrypt11 1.4.0-3 LGPL Crypto library - runtime libr
ii libglib2.0-0 2.16.1-2 The GLib library of C routines
ii libgtk2.0-0 2.12.9-2 The GTK+ graphical user interface
ii libhal-storage1 0.5.11~rc2-1 Hardware Abstraction Layer - share
ii libhal1 0.5.11~rc2-1 Hardware Abstraction Layer - share
ii libpango1.0-0 1.20.0-1 Layout and rendering of internatio
ii libtasn1-3 1.3-1 Manage ASN.1 structures (runtime)
Versions of packages gnome-keyring recommends:
ii libpam-gnome-keyring 2.22.0-2 PAM module to unlock the GNOME key
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Ondřej Surý <ondrej@debian.org>:
Bug#472477; Package gnome-keyring.
(full text, mbox, link).
Acknowledgement sent to Loïc Minier <lool@dooz.org>:
Extra info received and forwarded to list. Copy sent to Ondřej Surý <ondrej@debian.org>.
(full text, mbox, link).
Message #10 received at 472477@bugs.debian.org (full text, mbox, reply):
On Mon, Mar 24, 2008, Arnaud Cornet wrote:
> Steps to reproduce:
> # ssh-add -l
> 1024 XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
> # ssh-add -D
> All identities removed.
> # ssh-add -l
> 1024 XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
>
> I am still able to log in with this key afterwards.
>
> This is a security issue since gnome-keyring-daemon seems to have
> transparently taken over ssh-agent. One might think he's key is unloaded
> after a ssh-add -D while it's not.
>
> I cannot even find a way to remove the key in gnome-keyring-manager GUI.
Are you sure "ssh-add -D" above is removing keys from g-k? I wonder
whether it could be removing keys from ssh-agent but ssh-add -l would
list them from g-k. You could try unsetting the gconf key for the ssh
component of g-k.
--
Loïc Minier
Information forwarded to debian-bugs-dist@lists.debian.org, Ondřej Surý <ondrej@debian.org>:
Bug#472477; Package gnome-keyring.
(full text, mbox, link).
Acknowledgement sent to Arnaud Cornet <acornet@debian.org>:
Extra info received and forwarded to list. Copy sent to Ondřej Surý <ondrej@debian.org>.
(full text, mbox, link).
Message #15 received at 472477@bugs.debian.org (full text, mbox, reply):
> Are you sure "ssh-add -D" above is removing keys from g-k? I wonder
> whether it could be removing keys from ssh-agent but ssh-add -l would
> list them from g-k.
ssh-agent was not running during the test.
ssh-add says the key is removed, but it is still in g-k.
Information forwarded
to debian-bugs-dist@lists.debian.org, Josselin Mouette <joss@debian.org>:
Bug#472477; Package gnome-keyring.
(Tue, 04 May 2010 09:00:20 GMT) (full text, mbox, link).
Acknowledgement sent
to Stéphane Glondu <steph@glondu.net>:
Extra info received and forwarded to list. Copy sent to Josselin Mouette <joss@debian.org>.
(Tue, 04 May 2010 09:00:20 GMT) (full text, mbox, link).
Message #20 received at 472477@bugs.debian.org (full text, mbox, reply):
Any news on this bug? It is still relevant with gnome-keyring 2.30...
--
Stéphane
Information forwarded
to debian-bugs-dist@lists.debian.org, Josselin Mouette <joss@debian.org>:
Bug#472477; Package gnome-keyring.
(Fri, 27 Jan 2012 16:45:14 GMT) (full text, mbox, link).
Acknowledgement sent
to "C. Scott Ananian" <cscott@cscott.net>:
Extra info received and forwarded to list. Copy sent to Josselin Mouette <joss@debian.org>.
(Fri, 27 Jan 2012 16:45:14 GMT) (full text, mbox, link).
Message #25 received at 472477@bugs.debian.org (full text, mbox, reply):
Ping? It's been almost four years now, and this bug is still present.
It's causing me troubles with github ssh.
--scott
--
( http://cscott.net/ )
Reply sent
to Michael Biebl <biebl@debian.org>:
You have taken responsibility.
(Fri, 27 Jan 2012 16:57:10 GMT) (full text, mbox, link).
Notification sent
to Arnaud Cornet <acornet@debian.org>:
Bug acknowledged by developer.
(Fri, 27 Jan 2012 16:57:10 GMT) (full text, mbox, link).
Message #30 received at 472477-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 3.2.2-2
On 27.01.2012 17:41, C. Scott Ananian wrote:
> Ping? It's been almost four years now, and this bug is still present.
> It's causing me troubles with github ssh.
Works fine with gnome-keyring.
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Josselin Mouette <joss@debian.org>:
Bug#472477; Package gnome-keyring.
(Fri, 27 Jan 2012 17:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "C. Scott Ananian" <cscott@cscott.net>:
Extra info received and forwarded to list. Copy sent to Josselin Mouette <joss@debian.org>.
(Fri, 27 Jan 2012 17:03:03 GMT) (full text, mbox, link).
Message #35 received at 472477@bugs.debian.org (full text, mbox, reply):
On Fri, Jan 27, 2012 at 11:52 AM, Michael Biebl <biebl@debian.org> wrote:
> Version: 3.2.2-2
> On 27.01.2012 17:41, C. Scott Ananian wrote:
>> Ping? It's been almost four years now, and this bug is still present.
>> It's causing me troubles with github ssh.
>
> Works fine with gnome-keyring.
Perhaps you don't understand.
According to http://live.gnome.org/GnomeKeyring/Ssh (the only
documentation I could find), ssh-add -d/-D deletes only *manually
added* keys from gnome-keyring. There is no way to delete
automatically added keys. This is the original bug, and it's still
definitely present.
So, for example, if you have two different automatically-loaded ssh
identities associated with two different github accounts -- say for
work and for home -- there's *no way* to switch between them. github
takes the first one which matches, so you always appear as your 'home'
user to github, with no way to upload things to work projects.
Allowing ssh-add -d to apply to automatically-loaded keys (and ssh-add
-t X to change the lifetime of automatically-loaded keys), would
restore the behavior most users expect.
--scott
--
( http://cscott.net/ )
Bug Marked as found in versions gnome-keyring/3.2.2-2 and reopened.
Request was from Michael Biebl <biebl@debian.org>
to control@bugs.debian.org.
(Fri, 27 Jan 2012 17:03:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Josselin Mouette <joss@debian.org>:
Bug#472477; Package gnome-keyring.
(Fri, 05 Oct 2012 17:48:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Ivan Alagenchev <iga8nm@virginia.edu>:
Extra info received and forwarded to list. Copy sent to Josselin Mouette <joss@debian.org>.
(Fri, 05 Oct 2012 17:48:06 GMT) (full text, mbox, link).
Message #42 received at 472477@bugs.debian.org (full text, mbox, reply):
This bug is present for me too. It's preventing me from using github. Is
there a work around in the mean time?
I'm a developer, where would one go about donating some time to
resolving this issue?
I also think the severity should be raised since this is both a major
security flaw and also a serious blocker for github users.
Ivan
Information forwarded
to debian-bugs-dist@lists.debian.org, Josselin Mouette <joss@debian.org>:
Bug#472477; Package gnome-keyring.
(Fri, 05 Oct 2012 17:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ivan Alagenchev <iga8nm@virginia.edu>:
Extra info received and forwarded to list. Copy sent to Josselin Mouette <joss@debian.org>.
(Fri, 05 Oct 2012 17:57:03 GMT) (full text, mbox, link).
Message #47 received at 472477@bugs.debian.org (full text, mbox, reply):
Here is how I managed to work around this problem.
Do ssh-add -D to delete all your manually added keys. This also locks
the automatically added keys, but is not much use since gnome-keyring
will ask you to unlock them anyways when you try doing a git push.
Navigate to your ~/.ssh folder and move all your key files except the
one you want to identify with into a separate folder called backup. If
necessary you can also open seahorse and delete the keys from there.
Now you should be able to do git push without a problem.
Ivan
No longer marked as fixed in versions 3.2.2-2.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sun, 24 Nov 2013 20:39:41 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Josselin Mouette <joss@debian.org>:
Bug#472477; Package gnome-keyring.
(Fri, 19 Sep 2014 19:39:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Pedro Beja <althaser@gmail.com>:
Extra info received and forwarded to list. Copy sent to Josselin Mouette <joss@debian.org>.
(Fri, 19 Sep 2014 19:39:10 GMT) (full text, mbox, link).
Message #54 received at 472477@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hey,
this is an old bug.
Could you please still reproduce this issue with newer gnome-keyring
version like 3.4.1-5 or 3.12.2-1 ?
thanks
regards
althaser
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Josselin Mouette <joss@debian.org>:
Bug#472477; Package gnome-keyring.
(Wed, 05 Nov 2014 17:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Neil Mayhew <neil_mayhew@sil.org>:
Extra info received and forwarded to list. Copy sent to Josselin Mouette <joss@debian.org>.
(Wed, 05 Nov 2014 17:54:04 GMT) (full text, mbox, link).
Message #59 received at 472477@bugs.debian.org (full text, mbox, reply):
On Fri, 19 Sep 2014 20:35:41 +0100 Pedro Beja <althaser@gmail.com> wrote:
> this is an old bug.
>
> Could you please still reproduce this issue with newer gnome-keyring
version like 3.4.1-5 or 3.12.2-1 ?
Still happening with gnome-keyring 3.14.0-1+b1 and openssh-client
1:6.7p1-2 on jessie.
$ echo $SSH_AUTH_SOCK
/run/user/1000/keyring/ssh
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jan 3 16:39:02 2018;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.