[Bug 2598] ssh-agent very occasionally won't remove keys or certs despite now() >= lifetime

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Jul 19 03:30:52 AEST 2016 

https://bugzilla.mindrot.org/show_bug.cgi?id=2598

--- Comment #7 from Peter Moody <mindrot at hda3.com> ---
Thanks, Darren. I'm running the patched ssh-agent now.

fwiw, I apparently *can* repro this on my machine (I'd only gotten
reports of this from other people before).

this is on my system-provided agent.

$ usshcertstatus
ussh cert good for -50h-16m

waiting for the cert/key to expire on the patched version now

$ env SSH_AUTH_SOCK=/tmp/ssh.sock usshcertstatus
ussh cert good for 19h56m


>  - when it happens, if you run ssh-add -l twice are the keys present in both?
yes

$ ssh-add -l
2048 SHA256:xXX0cRWdec7IA43C0cSF+Y9JrKul2JBzgXk28NMLfEU [Valid until
Sat 16 Jul 2016 15:01 UTC, Version 2] (RSA-CERT)
2048 SHA256:xXX0cRWdec7IA43C0cSF+Y9JrKul2JBzgXk28NMLfEU [Valid until
Sat 16 Jul 2016 15:01 UTC, Version 2] (RSA)

$ ssh-add -l
2048 SHA256:xXX0cRWdec7IA43C0cSF+Y9JrKul2JBzgXk28NMLfEU [Valid until
Sat 16 Jul 2016 15:01 UTC, Version 2] (RSA-CERT)
2048 SHA256:xXX0cRWdec7IA43C0cSF+Y9JrKul2JBzgXk28NMLfEU [Valid until
Sat 16 Jul 2016 15:01 UTC, Version 2] (RSA)

$ ssh-add -l
2048 SHA256:xXX0cRWdec7IA43C0cSF+Y9JrKul2JBzgXk28NMLfEU [Valid until
Sat 16 Jul 2016 15:01 UTC, Version 2] (RSA-CERT)
2048 SHA256:xXX0cRWdec7IA43C0cSF+Y9JrKul2JBzgXk28NMLfEU [Valid until
Sat 16 Jul 2016 15:01 UTC, Version 2] (RSA)

$ ssh-add -l
2048 SHA256:xXX0cRWdec7IA43C0cSF+Y9JrKul2JBzgXk28NMLfEU [Valid until
Sat 16 Jul 2016 15:01 UTC, Version 2] (RSA-CERT)
2048 SHA256:xXX0cRWdec7IA43C0cSF+Y9JrKul2JBzgXk28NMLfEU [Valid until
Sat 16 Jul 2016 15:01 UTC, Version 2] (RSA)

$ usshcertstatus
ussh cert good for -50h-21m


>  - is there anything else going on with clocks, eg ntpd?  if so, are there any clock steps logged?

I don't see any likely ntp errors in the logs. The only slight
weirdness with my setup here is that I believe my laptop was asleep for
most of the weekend. it looks like this key/cert pair should've been
removed on 16 July at ~08.25 my latop diagnostic logs go from 16 July
at 4.57 to 16 July 9.44. time(NULL) couldn't wrapping around, could it 
.. ?

Anyway, I'll let you know the results from the instrumented ssh-agent.
Thanks!

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list