SSH public key comment field and gpg-agent
gnupg at jelmail.com
Sat Oct 15 17:33:42 CEST 2016
The SSH public key format contains a comment field (RFC4716, s3.3.2):
The comment header contains a user-specified comment.
user at example.com
>From "man sshd":
Public keys consist of the following space-separated fields:
options, keytype, base64-encoded key, comment.
The comment field is not used for anything (but may be convenient
for the user to identify the key).
If I load an SSH key from a file using 'ssh-add' the comment field is
populated with the file name (i.e. "alice.pem") if the gpg-agent does
not already contain that key.
If I do "ssh-add -L" I will see "alice.pem" at the end of the output:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQAHT...IfFoxh2j13b3 alice.pem
If the key is in the agent because of the gpg keyring then it is known
as "(none)". If I do "ssh-add -L" I will see "(none)" at the end of the
ssh-rsa AAAAB3NzaC1yc2EAAAADAQAHT...IfFoxh2j13b3 (none)
The reason that I stumbled upon this was because I was debugging a ssh
connection that used the gpg-agent and the ssh debugging output
displayed the following misleading output:
debug1: Offering RSA public key: (none)
which means the public key called "(none)" rather than, as I initially
interpreted it, no public key.
It's also useful client-side to see who a public key belongs to.
It would be good if the comment field reflected the key source, perhaps
the short (or long) key id. For example:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQAHT...IfFoxh2j13b3 (3A808C39)
Or even the primary uid of the key
ssh-rsa AAAAB3NzaC1yc2EAAAADAQAHT...IfFoxh2j13b3 alice at example.org
Incidentally, exporting the public key this way (which, I think, comes
from the pubring rather than the agent)
gpg --export alice | ./openpgp2ssh 63A808C39
results in no comment field at all:
I have no idea whether this is a gpg-agent thing, but is it possible to
control how the comment field is populated ?
[gpg (GnuPG) 2.1.15 libgcrypt 1.7.3]
More information about the Gnupg-users