Bug#513235: gnome-keyring: selects wrong key when multiple ssh identities are used
bjorn at mork.no
Tue Jan 27 15:36:53 UTC 2009
Josselin Mouette <joss at debian.org> writes:
> severity 513235 important
> Le mardi 27 janvier 2009 à 15:43 +0100, Bjørn Mork a écrit :
>> Package: gnome-keyring
>> Version: 2.22.3-2
>> Severity: critical
>> Tags: security
>> Justification: breaks unrelated software
> No, SSH is not unrelated software. Not only it is related, but it is not
> “broken” by this bug.
But at least to me, ssh and gdm are completely unrelated. Those were
the two packages I tried to use. The usage of gnome-keyring was
completely unwanted and unexpected, and breaking ssh was even more
>> I regularily log into a system which uses different ssh keys to select different
>> configurations. This fails if gnome-keyring-daemon is running. It seems to use
>> previously learned keys even if you specify "ssh -i <keyfile>", or use the
>> IdentityFile keyword in ~/.ssh/config.
> It would be interesting to see whether this happens if you use ssh-agent
> instead of gnome-keyring. If you add the first key to the agent, do you
> see the same behavior with "ssh -i key2" ?
Just running ssh-agent isn't a problem. But you're right that any key
added to the agent seems to be used before other keys. If I add the key
to ssh-agent, then it will be used first.
Let me add that to the already long list of reasons why I don't run
> My guess is that ssh tries the keys proposed by the agent before those
> passed with the -i option. And if this is the case, there is nothing
> that can be changed in gnome-keyring-daemon for that.
Sure there is. It seems to add some keys by default. Which ones? and
why? ssh-agent does not.
>> Please fix before releasing lenny. Or at least disable gnome-keyring-daemon
>> on default installations.
> /usr/share/doc/gnome-keyring/README.Debian documents how to disable the
> SSH agent functionality.
Thanks. That'll save me from having to install kdm I guess.
More information about the pkg-gnome-maintainers