Deleting SSH key(s) from agent

Peter Lebbing peter at digitalbrains.com
Sun Aug 21 12:27:37 CEST 2016 

On 21/08/16 00:11, Karol Babioch wrote:
> More specifically it seems to be impossible to delete identities from
> the agent once they are added.

Let me answer by example:

---------------------8<------------------->8---------------------

$ ssh-add -l
2048 27:f1:31:87:c8:05:5e:30:32:04:61:83:af:f5:8d:a1 cardno:000500000241 (RSA)
2048 69:22:fd:08:4e:a5:77:c5:2c:1c:c5:e4:e3:e0:96:96 /home/peter/.ssh/id_rsa (RSA)
256 03:92:b4:ff:0b:8c:dc:39:63:d0:18:c1:1e:78:12:ff test_id (ED25519)
$ gpg-connect-agent
> KEYINFO --ssh-list --ssh-fpr
S KEYINFO ECBEA361DD2230F79F086E3CAE198EB94A0CE6CF D - - 1 P 69:22:fd:08:4e:a5:77:c5:2c:1c:c5:e4:e3:e0:96:96 - S
S KEYINFO 5D73C7891879A68CE056175C3563F7064B03BAE8 D - - - P 03:92:b4:ff:0b:8c:dc:39:63:d0:18:c1:1e:78:12:ff - S
OK
> DELETE_KEY 5D73C7891879A68CE056175C3563F7064B03BAE8
OK
> /bye
$ ssh-add -l
2048 27:f1:31:87:c8:05:5e:30:32:04:61:83:af:f5:8d:a1 cardno:000500000241 (RSA)
2048 69:22:fd:08:4e:a5:77:c5:2c:1c:c5:e4:e3:e0:96:96 /home/peter/.ssh/id_rsa (RSA)

---------------------8<------------------->8---------------------

gpg-agent does not identify keys by the SSH fingerprint, but rather by 
a so-called keygrip. First I listed my keys known to ssh-add. Then I 
requested the same list through gpg-connect-agent, and this time it 
will show the keygrip as well as the SSH fingerprint. Using the 
information I thus learned, I was able to execute the DELETE_KEY 
statement using the keygrip of the "test_id" key I wanted to delete. 
Note that you can also delete the file 
"~/.gnupg/private-keys-v1.d/{KEYGRIP}.key" instead of using the 
DELETE_KEY agent command.


> The same is true for locking the agent down. This feature seems to be
> not implemented at all. I can lock the agent, but it makes no difference
> whether or not it is actually locked or unlocked, it always operates
> normally.

You can make the GnuPG agent forget any cached passphrases through:

$ gpg-connect-agent reloadagent /bye

While this is different from "ssh-add -x", it's also a form of locking 
down.

Note that I answered these questions using GnuPG v2.1.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

More information about the Gnupg-users mailing list