26

I have a really troubling problem. I can't get gpg-agent to remove my SSH key from its keyring and it even persists there after many reboots.

$ ssh-add -D
SSH_AGENT_FAILURE
Failed to remove all identities.

Even when I tell it to remove the identity:

$ ssh-add -d /path/to/private/key
Identity removed: /path/to/private/key

I then look

$ ssh-add -l
4096 1b:cb:52:a6:e5:13:e6:78:14:12:92:8f:34:8f:92:88 /path/to/private/key

and it's still there.

Where is this being cached? It seems to be writing to disk for some reason, which is a scary thing for a SSH agent to do. I'm running the following to start gpg-agent:

gpg-agent --enable-ssh-support --daemon

Everything else works fine, but it's caching this file somewhere and I need to delete it.

Naftuli Kay
  • 38,686
  • 85
  • 220
  • 311

3 Answers3

29

Yes, it seems that ssh -d is broken with gpg's agent. Here is a workaround using a different command.

Run the gpg-connect-agent command from the commandline to connect to the agent. Then, from the prompts there, enter this command to list the ssh keys

KEYINFO --ssh-list --ssh-fpr

You should see something like:

S KEYINFO 3365433C34421CC53B52C9A82169FD2328CF610B D - - - P df:a2:36:8d:ad:88:b3:cc:00:96:10:d4:c9:2c:e0:df - S
OK

Now, to remove the from the agent:

DELETE_KEY 3365433C34421CC53B52C9A82169FD2328CF610B

It will say:

OK

Now, quit with the BYE command:

BYE OK closing connection

Now, verify with ssh-add -l and you will see that it is gone for real.

Jacob Brown
  • 392
  • 3
  • 6
  • I got a prompt after typing `DELETE_KEY ` giving more info about where the file came from… was useful to figure out which key was which – Sam Mason Jun 26 '18 at 17:01
16

As with most things GPG, ssh credentials are cached inside the .gnupg directory, specifically in ~/.gnupg/sshcontrol, which will look something like this:

# List of allowed ssh keys.  Only keys present in this file are used
# in the SSH protocol.  The ssh-add tool may add new entries to this
# file to enable them; you may also add them manually.  Comment
# lines, like this one, as well as empty lines are ignored.  Lines do
# have a certain length limit but this is not serious limitation as
# the format of the entries is fixed and checked by gpg-agent. A
# non-comment line starts with optional white spaces, followed by the
# keygrip of the key given as 40 hex digits, optionally followed by a
# the caching TTL in seconds and another optional field for arbitrary
# flags.   Prepend the keygrip with an '!' mark to disable it.

# Key added on: 2013-09-19 22:15:50
# Fingerprint:  8b:56:b0:3f:c8...
681BF1EFF... 0
# Key added on: 2013-09-20 17:14:36
# Fingerprint:  4b:cb:7e:b0:d7...
F7BCEBD1C... 0

As the comment says, you can remove keys by deleting them, or disable them with a !. I haven't tested, but I imagine that "disabling" a key means you can't explicitly enable it or add it without editing the file.

larsks
  • 32,449
  • 5
  • 54
  • 70
  • 4
    These are just key fingerprints. There are still private keys stored in ~/.gnupg/private-keys-v1.d/ – dlitz May 17 '19 at 10:49
  • But they are no longer visible to the ssh agent. – larsks May 17 '19 at 10:49
  • I had a problem where vagrant would keep adding new keys (From the same file) to my agent, so it would have to try a very long list of keys every time i connected to something. Didn't expect it to just put them in sshcontrol, but I'd probably delete the keys themselves from the private-keys directory as well, as dlitz mentions above. – Steen Schütt May 07 '21 at 10:15
  • See [Werner Koch's](https://lists.gnupg.org/pipermail/gnupg-users/2018-July/060809.html) explanation: `ssh-key add` adds a **copy** of the SSH key to ~/.gnupg/private-keys-v1.d/ and adds the fingerprint to ~/.gnupg/sshcontrol, which only allow-lists the key. To remove a key you have to remove it from both locations. – pmhahn May 17 '22 at 11:39
2

If you want a script for this:

keys=$(gpg-connect-agent 'keyinfo --list' /bye | awk '{print $3}' | head -n -1)
for key in $keys; do gpg-connect-agent "delete_key $key --force" /bye; done

I'm not the expert here, so I'm just giving a simple script that I use. Nothing fancy. Nothing deep.

AFP_555
  • 251
  • 2
  • 11