Re: removing keys from ssh-agent without having key file

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



I've ran into a similar situation. Looking at PROTOCOL.agent for SSH
version 2, you can obtain the key blob with SSH2_AGENTC_REQUEST_IDENTITIES,
and remove that identity with SSH2_AGENTC_REMOVE_IDENTITY. This means with
within the SSH agent protocol the key files are not needed to remove the
key.

I have another user case for this functionality: I've written a SSH agent
proxy which permits authorized users access to a common set of identities,
and in some cases a user has access to too many identities to complete
authentication in the permitted number of authentication attempts. In this
case the proxy would not remove the shared identity, but temporarily block
it from that users view.


Dustin Lundquist

On Fri, Jan 1, 2016 at 9:43 PM, Matthew Boedicker <matthewm@xxxxxxxxxxxxx>
wrote:

> ssh-agent does not allow you to remove individual keys without having the
> key file that was added. To remove these keys the user must remove all keys
> with ssh-add -D.
>
> Would a patch to make ssh-add skip the existence check for the file be
> considered?
>
> The specific use case is that a USB drive is mounted with the key, the key
> is added to the agent then the USB drive is unmounted.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux