Note that there are at least two bug reports for ssh-add -d/-D
not removing keys:
- «Debian Bug report #472477:
ssh-add -D
does not remove SSH key fromgnome-keyring-daemon
memory» - «Ubuntu:
ssh-add -D
deleting all identities does not work. Also, why are all identities auto-added?»
The exact issue is:
ssh-add -d/-D
deletes only manually added keys from gnome-keyring.
There is no way to delete automatically added keys.
This is the original bug, and it’s still definitely present.So, for example, if you have two different automatically-loaded ssh identities associated with two different GitHub accounts — say for work and for home — there’s no way to switch between them. GitHubtakes the first one which matches, so you always appear as your ‘home’ user to GitHub, with no way to upload things to work projects.
Allowing
ssh-add -d
to apply to automatically-loaded keys (andssh-add -t X
to change the lifetime of automatically-loaded keys), would restore the behavior most users expect.
More precisely, about the issue:
The culprit is
gpg-keyring-daemon
:
- It subverts the normal operation of ssh-agent, mostly just so that it can pop up a pretty box into which you can type the passphrase for an encrypted ssh key.
- And it paws through your
.ssh
directory, and automatically adds any keys it finds to your agent.- And it won’t let you delete those keys.
How do we hate this? Let’s not count the ways — life’s too short.
The failure is compounded because newer ssh clients automatically try all the keys in your ssh-agent when connecting to a host.
If there are too many, the server will reject the connection.
And since gnome-keyring-daemon has decided for itself how many keys you want your ssh-agent to have, and has autoloaded them, AND WON’T LET YOU DELETE THEM, you’re toast.
This bug is still confirmed in Ubuntu 14.04.4, as recently as two days ago (August 21st, 2014)
A possible workaround:
- Do
ssh-add -D
to delete all your manually added keys. This also locks
the automatically added keys, but is not much use sincegnome-keyring
will ask you to unlock them anyways when you try doing agit push
.- Navigate to your
~/.ssh
folder and move all your key files except the one you want to identify with into a separate folder called backup. If necessary you can also open seahorse and delete the keys from there.- Now you should be able to do
git push
without a problem.
Another workaround:
What you really want to do is to turn off
gpg-keyring-daemon
altogether.
Go toSystem --> Preferences --> Startup Applications
, and unselect the «SSH Key Agent (Gnome Keyring SSH Agent)
» box — you’ll need to scroll down to find it.You’ll still get an
ssh-agent
, only now it will behave sanely: no keys autoloaded, you run ssh-add to add them, and if you want to delete keys, you can. Imagine that.
This comments actually suggests:
The solution is to keep
gnome-keyring-manager
from ever starting up, which was strangely difficult by finally achieved by removing the program file’s execute permission.
Ryan Lue adds another interesting corner case in the comments:
In case this helps anyone: I even tried deleting the
id_rsa
andid_rsa.pub
files altogether, and the key was still showing up.Turns out
gpg-agent
was caching them in a~/.gnupg/sshcontrol
file; I had to manually delete them from there.
That is the case when the keygrip
has been added as in here.
Changing SSH keys on a running server using the Customer Portal will reinstall and wipe all data on the server. You can manually change SSH keys without reinstalling the server by following this Quickstart Guide.
Prerequisites
-
To follow this guide, you must have an SSH key in OpenSSH format. See our guide to create an SSH key.
-
This guide applies to Linux and BSD servers.
-
This guide is suitable for Linux, Mac, or Windows workstations.
Add SSH Key to Vultr Instance
Deploy a new SSH key from a Linux or Mac workstation with ssh-copy-id
.
Linux and Mac workstations
The ssh-copy-id utility is pre-installed on most Linux distributions. Mac workstations can install it via Homebrew, MacPorts, or using Curl.
Use the utility to add your public key to the server.
-
Specify the correct public key with the -i [path to public key] parameter.
-
Specify the username and server IP address (or domain name) as shown. For example, the root user at 192.0.2.123:
$ ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.0.2.123
The utility will report some basic information and prompt for your password.
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/example_user/.ssh/id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@192.0.2.123's password:
Enter your password and the utility installs the key.
Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'root@192.0.2.123'" and check to make sure that only the key(s) you wanted were added.
Windows workstations
Windows workstations can mimic the ssh-copy-id utility with a one-line PowerShell command. The example shown pipes the the public key through SSH from the current user’s profile to the root user’s ~/.ssh/authorized_keys.
PS> type $env:USERPROFILE.sshid_rsa.pub | ssh root@192.0.2.123 "cat >> .ssh/authorized_keys"
Alternate method for any workstation type
-
SSH to the server.
-
Edit ~/.ssh/authorized_keys.
-
Append your public key to the file.
-
Save and exit.
There are no common automatic methods to delete a public key, you must remove it manually.
-
SSH to your server.
-
Edit ~/.ssh/authorized_keys.
-
Remove the line containing your key.
-
Save and exit.
Manage SSH Keys via API
The Vultr API offers several endpoints to manage SSH keys.
-
Create a new SSH key for use with future instances. This does not update any running instances.
-
List all SSH keys in your account.
-
Get information about an SSH key.
-
Update an SSH key.
-
Delete an SSH key.
More Information
For more information about managing SSH keys, see our other guides:
-
How to Generate SSH Keys
-
Deploy a New Server with an SSH Key
-
Connect to a Server Using an SSH Key
-
Use an SSH Key for Non-root Users
Want to contribute?
I gonna have to change my Windows PC with a colleague at office.
I’ve added a few rsa ssh keys while playing around with git, github, heroku and a few others.
What’d be the best way to remove all my credentials from my Windows PC?
studiohack♦
13.4k19 gold badges85 silver badges118 bronze badges
asked Feb 15, 2011 at 3:45
0
You can use the mmc.exe application to manage the installed certificates. Start : Run… mmc.exe and add the Certificates plugin. The GUI will show you all the installed certificates and allow you to export/remove them.
answered Feb 15, 2011 at 6:36
Chris NavaChris Nava
7,1751 gold badge26 silver badges30 bronze badges
1
SSH keys have no standard location. If you generated them using OpenSSH’s ssh-keygen
or PuTTY’s PuTTYgen, all you need is to delete the key files you created. (OpenSSH keeps them in ~/.ssh/
by default.)
Don’t forget a free-space wipe (cipher /w:C:
will do).
answered Feb 15, 2011 at 14:05
user1686user1686
401k59 gold badges845 silver badges915 bronze badges
I gonna have to change my Windows PC with a colleague at office.
I’ve added a few rsa ssh keys while playing around with git, github, heroku and a few others.
What’d be the best way to remove all my credentials from my Windows PC?
studiohack♦
13.4k19 gold badges85 silver badges118 bronze badges
asked Feb 15, 2011 at 3:45
0
You can use the mmc.exe application to manage the installed certificates. Start : Run… mmc.exe and add the Certificates plugin. The GUI will show you all the installed certificates and allow you to export/remove them.
answered Feb 15, 2011 at 6:36
Chris NavaChris Nava
7,1751 gold badge26 silver badges30 bronze badges
1
SSH keys have no standard location. If you generated them using OpenSSH’s ssh-keygen
or PuTTY’s PuTTYgen, all you need is to delete the key files you created. (OpenSSH keeps them in ~/.ssh/
by default.)
Don’t forget a free-space wipe (cipher /w:C:
will do).
answered Feb 15, 2011 at 14:05
user1686user1686
401k59 gold badges845 silver badges915 bronze badges
I gonna have to change my Windows PC with a colleague at office.
I’ve added a few rsa ssh keys while playing around with git, github, heroku and a few others.
What’d be the best way to remove all my credentials from my Windows PC?
studiohack♦
13.4k19 gold badges85 silver badges118 bronze badges
asked Feb 15, 2011 at 3:45
0
You can use the mmc.exe application to manage the installed certificates. Start : Run… mmc.exe and add the Certificates plugin. The GUI will show you all the installed certificates and allow you to export/remove them.
answered Feb 15, 2011 at 6:36
Chris NavaChris Nava
7,1751 gold badge26 silver badges30 bronze badges
1
SSH keys have no standard location. If you generated them using OpenSSH’s ssh-keygen
or PuTTY’s PuTTYgen, all you need is to delete the key files you created. (OpenSSH keeps them in ~/.ssh/
by default.)
Don’t forget a free-space wipe (cipher /w:C:
will do).
answered Feb 15, 2011 at 14:05
user1686user1686
401k59 gold badges845 silver badges915 bronze badges
Если ключ сервера поменялся (например, сервер переустановили), ssh вопит от подделке ключа. Обратите внимание, если сервер не трогали, а ssh вопит, значит вы не на тот сервер ломитесь (например, в сети появился ещё один компьютер с тем же IP, особо этим страдают всякие локальные сети с 192.168.1.1, которых в мире несколько миллионов). Сценарий «злобной man in the middle атаки» маловероятен, чаще просто ошибка с IP, хотя если «всё хорошо», а ключ поменялся — это повод поднять уровень паранойи на пару уровней (а если у вас авторизация по ключу, а сервер вдруг запросил пароль — то паранойю можно включать на 100% и пароль не вводить).
Удалить известный ключ сервера можно командой ssh-keygen -R server. При этом нужно удалить ещё и ключ IP (они хранятся раздельно): ssh-keygen -R 127.0.0.1.
Ключ сервера хранится
в /etc/ssh/ssh_host_rsa_key и /etc/ssh/ssh_host_rsa_key.pub. Их можно:
а) скопировать со старого сервера на новый.
б) сгенерировать с помощью ssh-keygen. Пароля при этом задавать не надо (т.е. пустой). Ключ с паролем ssh-сервер использовать не сможет.
Заметим, если вы сервера клонируете (например, в виртуалках), то ssh-ключи сервера нужно обязательно перегенерировать.
Старые ключи из know_hosts при этом лучше убрать, иначе ssh будет ругаться на duplicate key.
Источник: http://habrahabr.ru/post/122445/