https://bugzilla.mindrot.org/show_bug.cgi?id=3785
Bug ID: 3785
Summary: "ssh-add -C -D" does not do what you might think or
hope for
Product: Portable OpenSSH
Version: 9.9p1
Hardware: Other
OS: NetBSD
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh-add
Assignee: unassigned-b...@mindrot.org
Reporter: h...@uninett.no
This is touching upon the same underlying issue that
https://bugzilla.mindrot.org/show_bug.cgi?id=2675
does:
For users that regularly receive new short-lived certificates, it is
useful to be able to add these to ssh-agent without the list of
identities continually growing.
I was delighted to discover the relatively newly added presence of
"ssh-add -C", which is documented as
-C When loading keys into or deleting keys from the agent,
process certificates only and skip plain keys.
If you are using certificates only assigned by a single source, it
would have been useful to be able to combine this with "ssh-add -D":
-D Deletes all identities from the agent.
so that all certificate identities were removed from the agent.
However, testing reveals that with "ssh-add -D", the presence of the
"-C" option does not make any difference, and looking at the code, the
delete_all() function does not take a "cert_only" argument, and the SSH
protocol message exchanged is a "delete all identities" message (with
no conditionals), so in effect "-D" does *just* what "-D" documents,
and is not influenced by the presence (or absence) of the "-C" option.
Looking around a little in the source code doesn't reveal an obvious
way to achieve the "combination" of "-C" and "-D" -- it looks like in
order to delete specific identities, you need the private key file (is
this correct?), which in the intended use case would possibly not be
locally available. The "ssh-add -d" operation doesn't look like it can
accept a key identity via the fingerprint from the ssh agent (is this
correct?)
My unfamiliarity with the code prevents me from making any more
productive suggestions at the moment.
Am I asking for the impossible (or "near-impossible") when asking for
"-D" taking "-C" into consideration, and only removing all available
ssh certificate identities from the SSH agent? Or do any of you see
another way to solve this underlying issue?
I somewhat dislike the current mode I've ended up in (because it's
annoying / user-unfriendly), which is to use "ssh-add -D" and thereby
forcing the user to re-upload any additional commonly used
non-certificate identities to the ssh agent after issuance of a new
certificate.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
