506243 – gpg-agent should not be used in place of ssh-agent, possibly breaks users' security expectations

Bug 506243 - gpg-agent should not be used in place of ssh-agent, possibly breaks users' security expectations

Summary: gpg-agent should not be used in place of ssh-agent, possibly breaks users' se...

Status:	REPORTED

Alias:	None

Product:	neon
Classification:	KDE Neon
Component:	general (other bugs)
Version First Reported In:	unspecified
Platform:	Neon Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Neon Bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-06-26 23:05 UTC by Tom Servo
Modified:	2025-06-26 23:05 UTC (History)
CC List:	3 users (show)

See Also:
Latest Commit:
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Tom Servo 2025-06-26 23:05:56 UTC

SUMMARY
KDE Neon installs with gpg-agent configured to also act as the ssh-agent. This causes unexpected behaviors that can cause security concerns for users. The gpg-agent will accept ssh keys like any ssh-agent, but it refuses to remove them when asked, even though it will claim it did.

STEPS TO REPRODUCE
1. Create ssh key: "ssh-keygen" and accept the defaults
2. Add the key to the ssh-agent: "ssh-add ~/.ssh/id_ed25519"
3. Verify key was added: ssh-add -l
4. Remove the key from the ssh-agent (you will see it say "all identities removed"): ssh-add -D
5. Check again and see that the key was not in fact removed: ssh-add -l
6. Try to remove the key from the system completely: rm ~/.ssh/id_ed25519*
7. Reboot
8. Verify the key file is gone: ls ~/.ssh
9. Verify the key is STILL in ssh-agent: ssh-add -l

OBSERVED RESULT
When ssh-add -D is run to remove all keys, the user is told that the keys were removed, but the ssh-keys were not removed.

EXPECTED RESULT
When the ssh-agent says it has removed an ssh key, I expect that to be the truth.

SOFTWARE/OS VERSIONS
Operating System: KDE neon User Edition
KDE Plasma Version: 6.4.1
KDE Frameworks Version: 6.15.0
Qt Version: 6.9.0
Kernel Version: 6.11.0-25-generic (64-bit)
Graphics Platform: Wayland
Processors: 12 × Intel® Core™ i7-10750H CPU @ 2.60GHz
Memory: 32 GiB of RAM (31.0 GiB usable)
Graphics Processor 1: Intel® UHD Graphics
Graphics Processor 2: NVIDIA GeForce GTX 1650 Ti

ADDITIONAL INFORMATION
This has been reported as a bug to the gpg-agent developers who have closed the bug, seemingly refusing to fix the issue ( https://dev.gnupg.org/T3284 ). I think this makes gpg-agent an unacceptable substitute for ssh-agent. Consider this use case that is broken by gpg-agent. Lots of password managers (keepass/keepasxc for example) allow ssh keys to be stored in the password manager. When the password database is unlocked, the keys are added to the ssh-agent, and then when the database is closed the keys are removed. The gpg-agent acting as an ssh-agent breaks this by claiming that it has removed the keys when ask, even though it did not.

I want to be clear, I am not saying that this is a security vulnerability. It is just an unexpected behavior in a security-significant context.