possible sshcontrol flag for ssh key comment?

Peter Lebbing peter at digitalbrains.com
Tue Mar 17 18:35:13 CET 2015

On 2015-03-16 14:36, Donavan-Ross Costaras wrote:
> Hi,


I don't fully understand what you're trying to accomplish, or what you
exactly need. Sorry about that. I hope my reply might help you though.

> To present the correct key I use .ssh/confg to define the 
> identityFile (ssh key) used for that user.

I don't think "identityFile" still does anything when you use an agent,
or at least with GnuPG as an agent. Because it is the agent's
responsibility to keep keys, and you're changing the config for the ssh
program, which merely asks the agent what it has. I think.

> The problem is I cant add an ssh comment if I dont put the key 
> through something like monkeyshere or gpgkey2ssh.

With SSH2 keys, the comment is simply appended to the public key.
There's nothing more to it.

So I went with the following workflow:

First, I added the key in ~/.ssh/id_rsa to the gpg-agent. The public key
for that is already in ~/.ssh/id_rsa.pub, so I didn't need to extract
that from the agent.

Then, I inserted my OpenPGP smartcard with an authentication key. I
understand you're probably not using a smartcard, but I'm talking about
what I did :). It hopefully allows you to adapt it to your situation.

The smartcard key is automatically added to the ssh agent component of
gpg-agent. But, like you, I still need it's public key in SSH format to
paste in ~/.ssh/authorized_keys on the machines I want to login to, like
you need it to give to gitolite.

I do:

$ ssh-add -L
ssh-rsa AAAAB3N[...]TrnoZzZdHJ cardno:000500000241
ssh-rsa AAAAB3N[...]TAiuL0Iw== /home/peter/.ssh/id_rsa

Now gpg-agent was kind enough to provide a comment that allows me to
distinguish them on sight. If there is no comment field, simply look at
the actual base64 key to see which one you're /not/ interested in, by
comparing to ~/.ssh/id_rsa.pub, for instance.

Now I copy the line ending in "cardno:[...]241" to the clipboard, and
open an editor for the new file ~/.ssh/id_card.pub. I paste from the
clipboard, but change the end:

ssh-rsa AAAAB3N[...]TrnoZzZdHJ peter at OpenPGPCard

All my SSH keys are of the form peter at hostname, and usually stored in
~/.ssh/id_rsa.pub. The filename and comment form are just to fit in with
the rest. It's free-format.

Now whenever I need to add that public key to a ~/.ssh/authorized_keys,
I don't use ssh-add -L, I simply open ~/.ssh/id_card.pub and copy it
from there. As I said, in SSH2 public keys, the comment is just text
appended to the key; there's nothing relating to it in that blob of
base64. You can just edit it with a text editor and store the result
wherever you like.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

More information about the Gnupg-users mailing list