[Bug 3785] New: "ssh-add -C -D" does not do what you might think or hope for

Thu Feb 6 05:34:51 AEDT 2025

https://bugzilla.mindrot.org/show_bug.cgi?id=3785

            Bug ID: 3785
           Summary: "ssh-add -C -D" does not do what you might think or
                    hope for
           Product: Portable OpenSSH
           Version: 9.9p1
          Hardware: Other
                OS: NetBSD
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh-add
          Assignee: unassigned-bugs at mindrot.org
          Reporter: he at uninett.no

This is touching upon the same underlying issue that
https://bugzilla.mindrot.org/show_bug.cgi?id=2675
does:

   For users that regularly receive new short-lived certificates, it is
   useful to be able to add these to ssh-agent without the list of 
   identities continually growing.

I was delighted to discover the relatively newly added presence of
"ssh-add -C", which is documented as

     -C      When loading keys into or deleting keys from the agent,
             process certificates only and skip plain keys.

If you are using certificates only assigned by a single source, it
would have been useful to be able to combine this with "ssh-add -D":

     -D      Deletes all identities from the agent.

so that all certificate identities were removed from the agent.

However, testing reveals that with "ssh-add -D", the presence of the
"-C" option does not make any difference, and looking at the code, the
delete_all() function does not take a "cert_only" argument, and the SSH
protocol message exchanged is a "delete all identities" message (with
no conditionals), so in effect "-D" does *just* what "-D" documents,
and is not influenced by the presence (or absence) of the "-C" option.

Looking around a little in the source code doesn't reveal an obvious
way to achieve the "combination" of "-C" and "-D" -- it looks like in
order to delete specific identities, you need the private key file (is
this correct?), which in the intended use case would possibly not be
locally available. The "ssh-add -d" operation doesn't look like it can
accept a key identity via the fingerprint from the ssh agent (is this
correct?)

My unfamiliarity with the code prevents me from making any more
productive suggestions at the moment.

Am I asking for the impossible (or "near-impossible") when asking for
"-D" taking "-C" into consideration, and only removing all available
ssh certificate identities from the SSH agent?  Or do any of you see
another way to solve this underlying issue?  

I somewhat dislike the current mode I've ended up in (because it's
annoying / user-unfriendly), which is to use "ssh-add -D" and thereby
forcing the user to re-upload any additional commonly used
non-certificate identities to the ssh agent after issuance of a new
certificate.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.