Bug#513235: gnome-keyring: selects wrong key when multiple ssh identities are used

[Bjørn Mork]

Josselin Mouette <joss at debian.org> writes:

> severity 513235 important
> thanks
>
> Le mardi 27 janvier 2009 à 15:43 +0100, Bjørn Mork a écrit :
>> Package: gnome-keyring
>> Version: 2.22.3-2
>> Severity: critical
>> Tags: security
>> Justification: breaks unrelated software
>
> No, SSH is not unrelated software. Not only it is related, but it is not
> “broken” by this bug.

Well, OK.

But at least to me, ssh and gdm are completely unrelated.  Those were
the two packages I tried to use.  The usage of gnome-keyring was
completely unwanted and unexpected, and breaking ssh was even more
unexpected. 

>> I regularily log into a system which uses different ssh keys to select different 
>> configurations.  This fails if gnome-keyring-daemon is running.  It seems to use
>> previously learned keys even if you specify "ssh -i <keyfile>", or use the
>> IdentityFile keyword in ~/.ssh/config.
>
> It would be interesting to see whether this happens if you use ssh-agent
> instead of gnome-keyring. If you add the first key to the agent, do you
> see the same behavior with "ssh -i key2" ?

Just running ssh-agent isn't a problem.  But you're right that any key
added to the agent seems to be used before other keys.  If I add the key
to ssh-agent, then it will be used first.

Let me add that to the already long list of reasons why I don't run
ssh-agent... 

> My guess is that ssh tries the keys proposed by the agent before those
> passed with the -i option. And if this is the case, there is nothing
> that can be changed in gnome-keyring-daemon for that.

Sure there is.  It seems to add some keys by default.  Which ones? and
why?  ssh-agent does not.

>> Please fix before releasing lenny.  Or at least disable gnome-keyring-daemon
>> on default installations.
>
> /usr/share/doc/gnome-keyring/README.Debian documents how to disable the
> SSH agent functionality. 

Thanks.  That'll save me from having to install kdm I guess.


Bjørn