[Bug 2598] ssh-agent very occasionally won't remove keys or certs despite now() >= lifetime
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Tue Jul 19 03:30:52 AEST 2016
https://bugzilla.mindrot.org/show_bug.cgi?id=2598
--- Comment #7 from Peter Moody <mindrot at hda3.com> ---
Thanks, Darren. I'm running the patched ssh-agent now.
fwiw, I apparently *can* repro this on my machine (I'd only gotten
reports of this from other people before).
this is on my system-provided agent.
$ usshcertstatus
ussh cert good for -50h-16m
waiting for the cert/key to expire on the patched version now
$ env SSH_AUTH_SOCK=/tmp/ssh.sock usshcertstatus
ussh cert good for 19h56m
> - when it happens, if you run ssh-add -l twice are the keys present in both?
yes
$ ssh-add -l
2048 SHA256:xXX0cRWdec7IA43C0cSF+Y9JrKul2JBzgXk28NMLfEU [Valid until
Sat 16 Jul 2016 15:01 UTC, Version 2] (RSA-CERT)
2048 SHA256:xXX0cRWdec7IA43C0cSF+Y9JrKul2JBzgXk28NMLfEU [Valid until
Sat 16 Jul 2016 15:01 UTC, Version 2] (RSA)
$ ssh-add -l
2048 SHA256:xXX0cRWdec7IA43C0cSF+Y9JrKul2JBzgXk28NMLfEU [Valid until
Sat 16 Jul 2016 15:01 UTC, Version 2] (RSA-CERT)
2048 SHA256:xXX0cRWdec7IA43C0cSF+Y9JrKul2JBzgXk28NMLfEU [Valid until
Sat 16 Jul 2016 15:01 UTC, Version 2] (RSA)
$ ssh-add -l
2048 SHA256:xXX0cRWdec7IA43C0cSF+Y9JrKul2JBzgXk28NMLfEU [Valid until
Sat 16 Jul 2016 15:01 UTC, Version 2] (RSA-CERT)
2048 SHA256:xXX0cRWdec7IA43C0cSF+Y9JrKul2JBzgXk28NMLfEU [Valid until
Sat 16 Jul 2016 15:01 UTC, Version 2] (RSA)
$ ssh-add -l
2048 SHA256:xXX0cRWdec7IA43C0cSF+Y9JrKul2JBzgXk28NMLfEU [Valid until
Sat 16 Jul 2016 15:01 UTC, Version 2] (RSA-CERT)
2048 SHA256:xXX0cRWdec7IA43C0cSF+Y9JrKul2JBzgXk28NMLfEU [Valid until
Sat 16 Jul 2016 15:01 UTC, Version 2] (RSA)
$ usshcertstatus
ussh cert good for -50h-21m
> - is there anything else going on with clocks, eg ntpd? if so, are there any clock steps logged?
I don't see any likely ntp errors in the logs. The only slight
weirdness with my setup here is that I believe my laptop was asleep for
most of the weekend. it looks like this key/cert pair should've been
removed on 16 July at ~08.25 my latop diagnostic logs go from 16 July
at 4.57 to 16 July 9.44. time(NULL) couldn't wrapping around, could it
.. ?
Anyway, I'll let you know the results from the instrumented ssh-agent.
Thanks!
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list