Ssh – Too many keys being added to ssh-agent in CentOS6 – how can I stop this

ssh-agent

I was trying to debug an ssh problem Too many authentication failures, and find with ssh -vv that ssh is presenting lots of keys before falling back to try a password.

On investigation I find that these keys are added somehow with ssh-agent running from startx when X11 is started.

I have a lot of keys in my ~/.ssh directory for different machines, transferred through many system updates over the years. I had not even realized that ssh-agent was running.

I thought that ssh-add, per the manpage, would add by default just id_dsa, id_rsa and identity.
But somehow it is adding BillBrewer.pub, JanStewer.pub, PeterGurney.pub, PeterDavy.pub, DanlWhiddon, HarryHawke.pub, OldUncleTomCobley.pub as well, and presenting the whole lot on every login session when I expect to give a password. So sshd on the server decides that enough is enough and disconnects.

How can I control this behaviour ? Apart from removing my extra public keys from my .ssh directory and just keeping the private ones I need, but that's always been a convenient place to keep them in the past.

For that matter, how can I stop ssh-agent running if I want to ?

Is this a security issue ( sending keys to servers that are not supposed to get them) ?

I realize that I can override it on a per-session basis
with -o PreferredAuthentications=password but I'd prefer a systemic fix.

more strangeness: I tried using ssh-add -D to remove all identities, or ssh-add -d *.pub, but when I use ssh-add -l, they are all still there.

CentOS release 6.5,
OpenSSH_5.3p1,
openssh-clients-5.3p1

Best Answer

Well first off, keys are supposed to identify the client, not the remote server. Thus you should only have a very small number of keys (such as 1).

The official ssh-agent utility itself will only look for a few predefined names when looking for your keys (~/.ssh/id_rsa ~/.ssh/id_dsa ~/.ssh/id_ecdsa and ~/.ssh/identity).
However there are other ssh key agents other than ssh-agent. You likely have a keyring daemon running (such as gnome-keyring-daemon). The keyring daemon is likely started by your desktop environment by default. Go poking around in your desktop environment session settings to turn it off.

You can also put IdentitiesOnly=yes in your ~/.ssh/config file, but I wouldn't consider this the "right" answer.

In regards to sending extra keys to the server. No, this is not any sort of security risk.

Related Solutions

Ssh – How to list keys added to ssh-agent with ssh-add

Use the -l option to ssh-add to list them by fingerprint.

$ ssh-add -l
2048 72:...:eb /home/gert/.ssh/mykey (RSA)

Or with -L to get the full key in OpenSSH format.

$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc[...]B63SQ== /home/gert/.ssh/id_rsa

The latter format is the same as you would put them in a ~/.ssh/authorized_keys file.

Ssh – need to insert the passphrase for an RSA key on a remote host after SSH

You solved part of your issue with the use of keychain to act as storage for your passphrases for your SSH keys. As to your other question:

However, I am not sure if it is worth to encrypt a private key which is only used for ssh connection to a specific server. Is there any concrete security risk by not encrypting the private keys? In principle if one is able to access the private key he/she is also able to use the passwords stored in the keychain...so it seems that there might not be a big advantage in encrypting the private keys

It's not that your private keys are left unencrypted, it's that they're not protected with a passphrase. Therefore anyone that can gain access to your home directory's .ssh directory can get control of your SSH keys without issue.

If you're comfortable with leaving these keys on a system that you have full control over then I see no issue with leaving them as passphrase-less. I would also recommend generating a different set of keys that you can leave on secondary systems such as this, or even a unique set just for this server, so that you can completely abandon it without much issue if you ever discover its been compromised.

As to using keychain to manage your keys, I see not much to be gained with having passphrases on SSH keys if you're using keychain to manage them, except that keychain will only store them when you use them. If you don't use the keys often, and are diligent about cleaning up keychain when you're finished, then a passphrase would be an advantage, but IMO, it's a small one.

Best Answer

Related Solutions

Ssh – How to list keys added to ssh-agent with ssh-add

Ssh – need to insert the passphrase for an RSA key on a remote host after SSH

Related Question