19

A short time ago I noticed that there were three keys in my ssh-agent that I could not delete. ssh-add -l showed three keys; I ran ssh-add -D, and was told "All identities removed."; but then an immediate ssh-add -l showed the same three keys.

If I log out and then back in, the keys are still there. If I reboot the machine, the keys are still there. If I delete the keyring directory in /tmp, I can't connect to ssh-agent any more, but upon logging out and back in, the keys are back. They are invulnerable.

The keys are mine, not anyone else's, as far as I can tell. I can access my usual local services with them. But when I add one of the keys again with ssh-add, giving the path to a private key file, the new key has a different appearance in the output of ssh-add -l:

2048 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f /home/jruser/.ssh/jruser-keyname-20110418 (RSA)

vs. the original:

2048 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f jruser 04/18/2011 keyname (RSA)

Is there any way to sensibly account for this behavior? I guess there are really two questions:

  1. How do the keys managed to be retained even across reboots? My basic knowledge of ssh suggests that keys always have to be added manually.

  2. Why does ssh-agent -D lie to me about removing identities?

Sean
  • 1,734
  • 2
  • 15
  • 15

2 Answers2

13

It looks like it might be a bug. I am having similar behavoir in Ubuntu 10.10. A google search found a bug report for Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=472477

To remove the extra keys I had showing, I just moved them out of the ~/.ssh directory.

mp3foley
  • 246
  • 1
  • 5
  • Yes! This works for me. Thanks! I use Debian Wheezy beta 4. – Tarrasch Mar 12 '13 at 01:03
  • 4
    Finally buckled down and investigated. The culprit is gnome-keyring-daemon, which a) automatically loads all keys in ~/.ssh, and b) refuses to relinquish them. The solution is to keep gnome-keyring-manager from ever starting up, which was strangely difficult by finally achieved by removing the program file's execute permission. – Sean May 25 '13 at 20:25
  • Is there a solution to this which _doesn't_ involve hobbling gnome-keyring-manager? ie, fixing gnome-keyring-manager so it deletes keys it's told to? – Phil Feb 15 '17 at 10:17
  • 2
    It is 2018 and this is still relevant. Have to move the keys out of ~/.ssh – Carson Ip Aug 23 '18 at 04:16
  • 1
    Wow. Remove the keys from ~/.ssh and put in other directory as @CarsonIp mentioned and then use a ssh-agent command in your bashrc to manually load the extra ssh keys from the other directory. PIMA! – akahunahi Feb 19 '19 at 23:08
  • 1
    Ran into this still in 2019, turns out you can disable just the ssh-agent functionality of gnome-keyring, see the section "Disable keyring daemon components" here: https://wiki.archlinux.org/index.php/GNOME/Keyring#SSH_keys – mletterle Jul 05 '19 at 14:23
  • Deleting the `id_rsa` and `id_rsa.pub` files didn't work for me. Turns out gpg-agent was caching them in a `~/.gnupg/sshcontrol` file; I had to manually delete them from there. – Ryan Lue Jan 28 '20 at 07:05
3

Your keys are stored as files in the hidden directory: /home/jruser/.ssh/ that's how they persist after reboots. My guess the is that ssh-add -D is deleting them from memory but when you reboot they are read from the .ssh directory and so you have them again.

pbsmind
  • 141
  • 3