#493874 ssh-add -c reports SSH_AGENT_FAILURE and doesn't ask for confirmation

Package:
gnome-keyring
Source:
gnome-keyring
Description:
GNOME keyring services (daemon and tools)
Submitter:
Wouter Verhelst
Date:
2019-12-28 11:00:07 UTC
Severity:
wishlist
#493874#5
Date:
2008-08-05 14:51:49 UTC
From:
To:
Hi,

Since a while, when running 'ssh-add -c' (which is supposed to make
ssh-agent ask the user for confirmation before allowing use of an ssh
key), ssh-add prints "SSH_AGENT_FAILURE" on a line by itself (without
explaining what the exact failure is). The result seems to be that
ssh-agent then does know the key and allows software to use it, but it
does not request user confirmation before giving out the secret key.

#493874#10
Date:
2008-08-06 00:35:13 UTC
From:
To:
I can't reproduce this:

  <cjwatson@sarantium ~>$ ssh-add -c
  Enter passphrase for /home/cjwatson/.ssh/id_rsa:
  Identity added: /home/cjwatson/.ssh/id_rsa (/home/cjwatson/.ssh/id_rsa)
  The user has to confirm each use of the key

Is it possible that you are not in fact using ssh-agent, but a different
not-quite-compatible agent provided by something like seahorse? Have a
look at what's behind $SSH_AUTH_SOCK.

#493874#15
Date:
2008-08-06 04:28:19 UTC
From:
To:
Yes, that does appear to be the case; $SSH_AUTH_SOCK seems to be served
by gnome-agent. I apparently also can't get rid of it without removing
gdm.

Sigh. Why do the gnome people have to be so insane? Oh well.

#493874#20
Date:
2008-08-06 16:27:27 UTC
From:
To:
There's no match for "gnome-agent" in dists/unstable/Contents-i386.gz.
Would you mind figuring out the correct package and reassigning this
bug?

Thanks,

#493874#25
Date:
2008-08-07 14:16:45 UTC
From:
To:
reassign 493874 gnome-keyring
severity 493874 wishlist
thanks
confused by the fact that ssh calls it an 'agent'.

To the maintainer of gnome-keyring: ssh-add has a '-c' option, which
will cause ssh-add to request from ssh-agent that it requests
confirmation from the user every time an application tries to access the
key; this is a benefit security-wise. It would be nice if gnome-keyring
were to implement this.

#493874#34
Date:
2009-03-16 01:05:00 UTC
From:
To:
hey folks--

#493874 (gnome-keyring doesn't ask for confirmation with ssh keys), in
combination with #516230 (gnome-keyring daemon acts as ssh-agent even
when instructed not to) causes a potentially serious security problem.

In particular, people who use ssh-agent regularly, and expect to receive
confirmation before use of their keys are at risk.  Since the default
debian desktop installs gnome, and gnome installs gnome-keyring, those
users are at a serious risk of having their keys available for
non-confirmed use.

if gnome-keyring is unable to honor a constraint requested by a user, it
should *not* import the key in the first place and fail hard, as opposed
to importing it and ignoring the requested constraint.

#493874#39
Date:
2009-08-06 22:01:51 UTC
From:
To:
forwarded 493874 https://bugzilla.mindrot.org/show_bug.cgi?id=1612
thanks

So i looked into this further.  And while gnome-keyring has dubious
behavior, it actually correctly reports when it does not support
constraints.  See the discussion with gnome folks here:

https://bugzilla.gnome.org/show_bug.cgi?id=525574

The most serious bug is in ssh-add, which sees the failure to add-key
with constraints, and then goes ahead and tries to re-submit the key
*without* constraints.  I've reported this to openssh upstream, along
with a patch:

https://bugzilla.mindrot.org/show_bug.cgi?id=1612

they seem to be indicating (via bugzilla bug blocking/dependency trees)
that the patch will be incorporated into OpenSSH by version 5.4.

#493874#48
Date:
2019-12-28 10:48:31 UTC
From:
To:
My best guess is that with gnome-keyring and ssh-agent both having no
DISPLAY= variable set, it's unable to ask for confirmation. I'll file a
separate bug, but this one can be closed?