[Bug 2598] New: ssh-agent very occasionally won't remove keys or certs despite now() >= lifetime
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Sat Jul 16 05:23:30 AEST 2016
https://bugzilla.mindrot.org/show_bug.cgi?id=2598
Bug ID: 2598
Summary: ssh-agent very occasionally won't remove keys or certs
despite now() >= lifetime
Product: Portable OpenSSH
Version: 6.9p1
Hardware: amd64
OS: Mac OS X
Status: NEW
Severity: minor
Priority: P5
Component: ssh-agent
Assignee: unassigned-bugs at mindrot.org
Reporter: mindrot at hda3.com
apologies for the vagueness of this report.
I add these ssh certs (and keys) to the ssh-agent with a lifetime set
to when the cert will expire, eg. 72k seconds. Very occasionally, an
ssh-agent process won't actually remove the cert when the timer
expires. These are exclusively laptops so my first thought was that
maybe the laptop was asleep when the timer expired, but I've had a look
through the ssh-agent code and it looks like reaper() checks now >=
death for every entry. I've also been able to run 'ssh-add -l' (which
looks like it forces a call to reaper, presumably expiring all keys
with now >= death), and the certs still aren't removed.
Is my assumption wrong about reaper() being called every time 'ssh-add
-l' is invoked? If it is called every time, is there anyway short of
id->death getting set to 0 that a key could dodge removal? I guess it's
possible that my ca is actually adding a lifetime that's much longer
than I think it is, but I suspect I'd see a lot more if this if that
were the case.
I'm totally confused. :-/
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list