ssh-add -D has no effect

Question

I have several keys registered:

$ ssh-add -l
4096 cd:43:96:9e:0c:9a:38:ae:d9:96:f0:c5:d1:bf:9d:96 alex@sunny2 (RSA)
2048 4c:eb:fc:6b:ab:a0:ff:99:c3:ff:13:0a:95:2a:68:70 ███████ (RSA)
4096 01:cc:8d:c9:3c:ca:cf:39:93:57:e5:36:91:30:c2:94 ██████(RSA)
4096 87:b3:05:9a:68:6a:2b:be:1f:6f:ce:1b:34:50:c9:01 ██████████(RSA)
2048 37:d7:c6:08:65:9e:d4:8e:57:a2:05:36:71:e3:0b:13 ███ (RSA)
2048 3c:62:aa:4e:86:6d:83:b0:f7:b8:fb:0a:db:c4:67:3b ██████ (RSA)
1024 a4:1b:cb:c9:a0:99:19:80:67:e2:1b:14:5b:7e:17:cf ███████ (RSA)

I tried ssh-add -d ██████ to remove selectively, and ssh-add -D to remove all keys.

this does not seem to work. After I executed ssh-add -D, the output of ssh-add -l is the same like before.

I tried, for example, ssh-add -d alex@sunny2, and also the full path to the key file, which is, in this example, ~/.ssh/alex_rsa.

I also tried 'wildcard-remove', ssh-add -d ~/.ssh/*.

Interestingly I get a confirmation, that the key was removed:

Identity removed: .ssh/alex_rsa ( alex@sunny2)

But ssh-add -l afterwards again lists all the key files, so it seems there went something wrong while removing. Or, there is some mechanism which adds the keys immediately again.

$ cat ~/.ssh/config 
Host *
    ServerAliveInterval 240

Host 192.168.0.107
        PreferredAuthentications keyboard-interactive,password,publickey,hostbased,gssapi-with-mic

Host github.com
        HostName    github.com
        IdentityFile    ~/.ssh/alex_rsa

SSH version is:

$ ssh -V
OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8, OpenSSL 1.0.1f 6 Jan 2014

I think specifying which key to remove only makes sense with `-d`, not `-D`. — ptman, Oct 25 '17 at 11:34
Yes, you are right! When trying with `-d`, I get `Bad key file [..]`. — kerner1000, Oct 25 '17 at 11:36

blafasel · Answer 1 · 2017-10-29T21:50:49.527

Yes, there may be a mechanism, that adds keys to your keyring. For example on my machine (Ubuntu 16.04LTS) I can see the following PAM configuration:

blafasel@localhost:~$ grep -R gnome_keyring /etc/pam.*
/etc/pam.d/lightdm-greeter:auth    optional        pam_gnome_keyring.so
/etc/pam.d/lightdm-greeter:session optional        pam_gnome_keyring.so auto_start
/etc/pam.d/gnome-screensaver:auth optional pam_gnome_keyring.so
/etc/pam.d/common-password:password optional    pam_gnome_keyring.so 
/etc/pam.d/lightdm:auth    optional        pam_gnome_keyring.so
/etc/pam.d/lightdm:session optional        pam_gnome_keyring.so auto_start
/etc/pam.d/unity:auth optional pam_gnome_keyring.so

This means, if I start an X session with lightdm this session will have access to keys provided by gnome-keyring-daemon. These will normally include all keys inside ~/.ssh/ that are read on login.

Edit: If you run Ubuntu 16.04 or have some other system running gnome (validate by ps ax|grep keyring) you can use gnome-keyring-properties to switch of session integration. Then no more keys will be provided after the next login.

I killed `gnome-keyring-daemon`, now no `ssh-add` available anymore. Why is that? — kerner1000, Jan 06 '18 at 15:13

score 1 · Answer 2 · answered Jan 06 '18 at 15:18

kill gnome-keyring-daemon

$ ps ax | grep keyring 1627 ? SLl 0:01 /usr/bin/gnome-keyring-daemon --daemonize --login 17218 pts/2 S+ 0:00 grep --color=auto keyring

$ kill 1627
restart ssh

$ eval $(ssh-agent)
now all identities removed

$ ssh-add -l The agent has no identities.

score 0 · Answer 3 · answered Oct 25 '17 at 11:15

0

Which version of OpenSSH (and thus ssh-add) do you have?

Mine works:

$ ssh-add -l
... user@host (RSA)
$ ssh-add -D
All identities removed.
$ ssh-add -l
The agent has no identities.

answered Oct 25 '17 at 11:15

ptman

28,394
2
30
45

Mine is definitely not working. Is there any mechanism that would automatically re-add some keys? – kerner1000 Oct 25 '17 at 11:17
I don't know what you have running on your host. Are the keys protected by passphrases? – ptman Oct 25 '17 at 11:35
Yes, they are pw-protected. – kerner1000 Oct 25 '17 at 11:37

ssh-add -D has no effect

3 Answers3