SSH public key comment field and gpg-agent

John Lane gnupg at jelmail.com
Sat Oct 15 17:33:42 CEST 2016 

The SSH public key format contains a comment field (RFC4716, s3.3.2):

    The comment header contains a user-specified comment.
    user at example.com

>From "man sshd":

    Public keys consist of the following space-separated fields:
    options, keytype, base64-encoded key, comment.

    The comment field is not used for anything (but may be convenient
    for the user to identify the key).

If I load an SSH key from a file using 'ssh-add' the comment field is
populated with the file name (i.e. "alice.pem") if the gpg-agent does
not already contain that key.

If I do "ssh-add -L" I will see "alice.pem" at the end of the output:

        ssh-rsa AAAAB3NzaC1yc2EAAAADAQAHT...IfFoxh2j13b3 alice.pem

If the key is in the agent because of the gpg keyring then it is known
as "(none)". If I do "ssh-add -L" I will see "(none)" at the end of the
output:

    ssh-rsa AAAAB3NzaC1yc2EAAAADAQAHT...IfFoxh2j13b3 (none)

The reason that I stumbled upon this was because I was debugging a ssh
connection that used the gpg-agent and the ssh debugging output
displayed the following misleading output:

    debug1: Offering RSA public key: (none)

which means the public key called "(none)" rather than, as I initially
interpreted it, no public key.

It's also useful client-side to see who a public key belongs to.

It would be good if the comment field reflected the key source, perhaps
the short (or long) key id. For example:

    ssh-rsa AAAAB3NzaC1yc2EAAAADAQAHT...IfFoxh2j13b3 (3A808C39)

Or even the primary uid of the key

    ssh-rsa AAAAB3NzaC1yc2EAAAADAQAHT...IfFoxh2j13b3 alice at example.org

Incidentally, exporting the public key this way (which, I think, comes
from the pubring rather than the agent)

    gpg --export alice | ./openpgp2ssh 63A808C39

results in no comment field at all:

    ssh-rsa AAAAB3NzaC1yc2EAAAADAQAHT...IfFoxh2j13b3


I have no idea whether this is a gpg-agent thing, but is it possible to
control how the comment field is populated ?

[gpg (GnuPG) 2.1.15 libgcrypt 1.7.3]

More information about the Gnupg-users mailing list