`step ssh logout` should probably remove key(s) cached in `~/.gnupg/sshcontrol`

[siriobalmelli]

What would you like to be added

step ssh logout should check if ssh-agent cached the relevant keys in ~/.gnupg/sshcontrol and if so, remove them.

Why this is needed

Without removing keys in ~/.gnupg/sshcontrol, calling step ssh list or ssh-agent -l will still show the remove key(s).

In my case (and I imagine generally), the desired behavior would be that keys disappear after step ssh logout (or ssh-agent -d).

[dopey]

Hey @siriobalmelli thanks for opening the issue!

Would you mind sending us some steps to reproduce please?

[siriobalmelli]

Apologies for the delay. Reproduction steps below:

# my personal GPGAgent public key, permanently present
$ step ssh list
256 SHA256:JBwslxZQsjl3CoqjrEvaK7ZbQXlkqipO4ItPwdRLiHc (none) (ED25519)

# log in to CA and get a new ephemeral key
$ step ssh login --provisioner=Google [email protected]
✔ Provisioner: Google (OIDC) [client: -redacted-]
Your default web browser has been opened to visit:

https://accounts.google.com/o/oauth2/v2/auth?client_id=-redacted-

✔ CA: https://34.139.211.44
✔ SSH Agent: yes

# key was successfully added
$ step ssh list
256 SHA256:JBwslxZQsjl3CoqjrEvaK7ZbQXlkqipO4ItPwdRLiHc (none) (ED25519)
256 SHA256:/15qfw/1lmOAkOmYfG0ojw5GShLccodSUjOY5SrFa3E [email protected] (ECDSA)

# logout, which should remove key
$ step ssh logout --all [email protected]
All identities removed: [email protected]

# however, key is still there!
$ step ssh list
256 SHA256:JBwslxZQsjl3CoqjrEvaK7ZbQXlkqipO4ItPwdRLiHc (none) (ED25519)
256 SHA256:/15qfw/1lmOAkOmYfG0ojw5GShLccodSUjOY5SrFa3E [email protected] (ECDSA)

# removing the last 4 lines in 'sshcontrol' file removes the key
$ sed -i"" "$(( $(wc -l <~/.gnupg/sshcontrol) -3 )),\$d" ~/.gnupg/sshcontrol 
$ step ssh list
256 SHA256:JBwslxZQsjl3CoqjrEvaK7ZbQXlkqipO4ItPwdRLiHc (none) (ED25519)