https://bugzilla.mindrot.org/show_bug.cgi?id=2598
Bug ID: 2598 Summary: ssh-agent very occasionally won't remove keys or certs despite now() >= lifetime Product: Portable OpenSSH Version: 6.9p1 Hardware: amd64 OS: Mac OS X Status: NEW Severity: minor Priority: P5 Component: ssh-agent Assignee: unassigned-b...@mindrot.org Reporter: mind...@hda3.com apologies for the vagueness of this report. I add these ssh certs (and keys) to the ssh-agent with a lifetime set to when the cert will expire, eg. 72k seconds. Very occasionally, an ssh-agent process won't actually remove the cert when the timer expires. These are exclusively laptops so my first thought was that maybe the laptop was asleep when the timer expired, but I've had a look through the ssh-agent code and it looks like reaper() checks now >= death for every entry. I've also been able to run 'ssh-add -l' (which looks like it forces a call to reaper, presumably expiring all keys with now >= death), and the certs still aren't removed. Is my assumption wrong about reaper() being called every time 'ssh-add -l' is invoked? If it is called every time, is there anyway short of id->death getting set to 0 that a key could dodge removal? I guess it's possible that my ca is actually adding a lifetime that's much longer than I think it is, but I suspect I'd see a lot more if this if that were the case. I'm totally confused. :-/ -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs