SSH keys can’t be deleted from agent

sshssh-agentUbuntu

My Ubuntu 18.04 keeps adding all my SSH keys into the ssh agent upon startup and I am unable to delete them. Having so many keys in the agent breaks authentication to servers that only permit 3 or 5 attempts.

~ $ ssh-add -l
2048 SHA256:7mW8C9RNZ75U...ArHq+9kSZLmny0Y google_compute_engine (RSA)
2048 SHA256:OUD4Vy0LKWp2...AwNKTbdHDkjVkcU id_rsa.aws (RSA)
2048 SHA256:/Qbw+NcgXBTk...pi7bYs2eYm0k7B8 id_rsa.aws-eu (RSA)
2048 SHA256:cG5xEwfejo2O...8LqmP4gk2wAtzrk id_rsa (RSA)
2048 SHA256:5TgVaBUrlSvV...PHM46avPZIauVRY sftp-test2 (RSA)

When I try to delete them it says OK but they are still there:

~ $ ssh-add -D
All identities removed.

~ $ ssh-add -l
2048 SHA256:7mW8C9RNZ75U...ArHq+9kSZLmny0Y google_compute_engine (RSA)
2048 SHA256:OUD4Vy0LKWp2...AwNKTbdHDkjVkcU id_rsa.aws (RSA)
2048 SHA256:/Qbw+NcgXBTk...pi7bYs2eYm0k7B8 id_rsa.aws-eu (RSA)
2048 SHA256:cG5xEwfejo2O...8LqmP4gk2wAtzrk id_rsa (RSA)
2048 SHA256:5TgVaBUrlSvV...PHM46avPZIauVRY sftp-test2 (RSA)

With so many identities loaded in the agent I can't even specify an explicit on the command line, it still fails:

~ $ ssh 192.168.56.5  -i ~/.ssh/test
Received disconnect from 192.168.56.5 port 22:2: Too many authentication failures
Disconnected from 192.168.56.5 port 22

The only thing I can do is unset SSH_AUTH_SOCK altogether and then I can at least use ssh -i ... but that's inconvenient.

TL;DR

How can I delete all the identities from the agent and prevent them from loading again next time? Ie how to make it behave like ssh agent used to?

Best Answer

This may be due to a bug in ssh-add -d/-D not removing keys. There were some bug reports about it, e.g.

The exact issue is:

ssh-add -d/-D deletes only manually added keys from gnome-keyring. There is no way to delete automatically added keys. This is the original bug, and it's still definitely present.

Allowing ssh-add -d to apply to automatically-loaded keys (and ssh-add -t X to change the lifetime of automatically-loaded keys), would restore the behaviour most users expect.

A possible workaround:

Do ssh-add -D to delete all your manually added keys.

Navigate to your ~/.ssh folder and move all your key files except the one you want to identify with into a separate folder called backup. If necessary you can also open seahorse and delete the keys from there.

Another workaround:

What you really want to do is to turn off gpg-keyring-daemon altogether. Go to System --> Preferences --> Startup Applications, and unselect the "SSH Key Agent (Gnome Keyring SSH Agent)" box -- you'll need to scroll down to find it.

You'll still get an ssh-agent, only now it will behave sanely: no keys autoloaded, you run ssh-add to add them, and if you want to delete keys, you can.

This comments actually suggests:

The solution is to keep gnome-keyring-manager from ever starting up, which was strangely difficult by finally achieved by removing the program file's execute permission.

TL;DR

Best Answer

Related Solutions

SSH – Purpose of ssh-agent Explained

Ssh – Too many keys being added to ssh-agent in CentOS6 – how can I stop this

Related Question