6

I cannot make much sense of how SSH agent refers to the keys it is using.

I have four SSH keys with the following comments:

$ tail -n +1 *.pub
==> github_id_ed25519.pub <==
ssh-ed25519 ... mygithubusername@myhost

==> id_ecdsa.pub <==
ecdsa-sha2-nistp521 ... me@myhost

==> id_ed25519.pub <==
ssh-ed25519 ... me@myhost

==> id_rsa.pub <==
ssh-rsa ... me@myhost

I add these keys to the SSH agent (with the confirmation -c option):

$ ssh-add -c github_id_ed25519 id_ecdsa id_ed25519 id_rsa
Enter passphrase for github_id_ed25519 (will confirm each use): 
Identity added: github_id_ed25519 (mygithubusername)
The user must confirm each use of the key
Identity added: id_ecdsa (id_ecdsa)
The user must confirm each use of the key
Identity added: id_ed25519 (me@myhost)
The user must confirm each use of the key
Identity added: id_rsa (id_rsa)
The user must confirm each use of the key

I list all added keys:

$ ssh-add -l
256  SHA256:... mygithubusername (ED25519)
521  SHA256:... id_ecdsa (ECDSA)
256  SHA256:... me@myhost (ED25519)
4096 SHA256:... id_rsa (RSA)

From where does SSH agent get the names it uses to refer to the keys?

It seems to use:

  1. full comment in the keyfile (for one key)
  2. some parts of the comment in the keyfile (for one key)
  3. filename of the keyfile (for two keys)

Very hard to make any sense of this. Using the filename of the key would be the most straight-forward but now it's just a mess. Currently every time I login with SSH and I get the confirmation dialog it is not easy to figure out which key it is actually trying to use.

Improve this question
2
  • 3
    ssh-add attempts to read the comment in the private key. If it fails, it uses the filename: if (comment == NULL) comment = xstrdup(filename); Are you certain that id_ecdsa and id_rsa have comments? (It is easy to add comments to the corresponding .pub keys after generation, but that won't change any comments stored with the private key.) Commented Jul 6, 2017 at 20:12
  • Looks like you are right: id_ecdsaand id_rsa don't have comments. Looks like I added them afterwards to the public keys and I assumed that the agent would use those. Actually I didn't remember that the comments are also saved in the private keys. Also it looks like ssh-keygen does not have any options to change the comment on the private keys and to change them one has to create new keys. Or maybe there's a way to add it some other way? In any case your comment answers my question well and I think you should make a real answer out of it so I can mark it as the correct one :) Commented Jul 7, 2017 at 16:58

1 Answer 1

Reset to default
3

ssh-add attempts to read the comment in the private key file. If it fails, it uses the filename as a comment for further prompts:

From ssh-add.c:add_file() :

if (comment == NULL || *comment == '\0')
    comment = xstrdup(filename);

I'd suspect that any identities using the filename as the comment had no comment originally saved with the key, even if one was manually edited in to the public key file at a later date. The ssh-keygen manual page implies that there is no way to change or add a comment in the private key file on any non-deprecated key formats:

 -c      Requests changing the comment in the private and public key files.  This
         operation is only supported for RSA1 keys.
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.