GPG代理不会从密钥环中删除我的SSH密钥


14

我有一个非常麻烦的问题。我无法gpg-agent从其密钥环中删除我的SSH密钥,甚至在多次重启后它仍然存在。

$ ssh-add -D
SSH_AGENT_FAILURE
Failed to remove all identities.

即使我告诉它删除身份:

$ ssh-add -d /path/to/private/key
Identity removed: /path/to/private/key

然后我看

$ ssh-add -l
4096 1b:cb:52:a6:e5:13:e6:78:14:12:92:8f:34:8f:92:88 /path/to/private/key

它仍然在那里。

这在哪里缓存?由于某种原因,它似乎正在写入磁盘,这对于SSH代理来说是一件令人恐惧的事情。我正在运行以下内容开始gpg-agent

gpg-agent --enable-ssh-support --daemon 

其他所有东西都可以正常工作,但是它将这个文件缓存在某个地方,我需要删除它。

Answers:


15

与大多数GPG一样,ssh凭据会缓存在.gnupg目录中,尤其是中的目录,该目录~/.gnupg/sshcontrol如下所示:

# List of allowed ssh keys.  Only keys present in this file are used
# in the SSH protocol.  The ssh-add tool may add new entries to this
# file to enable them; you may also add them manually.  Comment
# lines, like this one, as well as empty lines are ignored.  Lines do
# have a certain length limit but this is not serious limitation as
# the format of the entries is fixed and checked by gpg-agent. A
# non-comment line starts with optional white spaces, followed by the
# keygrip of the key given as 40 hex digits, optionally followed by a
# the caching TTL in seconds and another optional field for arbitrary
# flags.   Prepend the keygrip with an '!' mark to disable it.

# Key added on: 2013-09-19 22:15:50
# Fingerprint:  8b:56:b0:3f:c8...
681BF1EFF... 0
# Key added on: 2013-09-20 17:14:36
# Fingerprint:  4b:cb:7e:b0:d7...
F7BCEBD1C... 0

如评论所述,您可以通过删除键来删除键,或使用禁用键!。我还没有测试过,但是我想“禁用”一个键意味着您不能显式地启用它或添加它而不编辑文件。


这些只是关键指纹。仍然有私钥存储在〜/ .gnupg / private-keys-v1.d /中
dlitz '19

但是它们对ssh代理不再可见。
larsk

13

是的,看来ssh -dgpg的代理已损坏了。这是使用其他命令的解决方法。

gpg-connect-agent从命令行运行命令以连接到代理。然后,从那里的提示输入此命令以列出ssh​​键

KEYINFO --ssh-list --ssh-fpr

您应该看到类似以下内容:

S KEYINFO 3365433C34421CC53B52C9A82169FD2328CF610B D - - - P df:a2:36:8d:ad:88:b3:cc:00:96:10:d4:c9:2c:e0:df - S
OK

现在,要从代理中删除:

DELETE_KEY 3365433C34421CC53B52C9A82169FD2328CF610B

它会说:

OK

现在,使用BYE命令退出:

BYE确定关闭连接

现在,使用进行验证,ssh-add -l您将看到它已经消失了。


输入DELETE_KEY <id>有关文件来源的更多信息后,我得到了提示...有助于弄清哪个密钥
Sam Mason

1

如果您想要一个脚本,请执行以下操作:

keys=$(gpg-connect-agent 'keyinfo --list' /bye | awk '{print $3}' | head -n -1)
for key in $keys; do gpg-connect-agent "delete_key $key --force" /bye; done

我不是这里的专家,所以我只是给出一个我使用的简单脚本。没有什么花哨。没什么

By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.