Bug 2180 - Improve the handling of the key comment field
Summary: Improve the handling of the key comment field
Status: ASSIGNED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh-keygen (show other bugs)
Version: 6.4p1
Hardware: All All
: P5 enhancement
Assignee: Oliver Ford
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-10 10:15 AEDT by Alexis-Emmanuel Haeringer
Modified: 2020-03-22 04:47 AEDT (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexis-Emmanuel Haeringer 2013-12-10 10:15:56 AEDT 
Hello,

As you probably know, the comment header:
- is not exported when "ssh-keygen -e" is used to export a public key into an PEM|PKCS8|RFC4716 file format (a new key comment is created)
- is not handled when "ssh-keygen -i" is imported from PEM|PKCS8|RFC4716 file to Openssh internal format (the key comment field is missing).

Thus, it should be interesting that "ssh-keygen -e" exports the initial comment and "ssh-keygen -i" generates an output with the key comment indicated in key file.


ssh-keygen.c:
http://www.openssh.com/cgi-bin/cvsweb/src/usr.bin/ssh/ssh-keygen.c 
ssh-keygen.c:259:
do_convert_to_ssh2(struct passwd *pw, Key *k)
[...]/* Comment + surrounds must fit into 72 chars (RFC 4716 sec 3.3) */
        snprintf(comment, sizeof(comment),
            "%u-bit %s, converted by %s@%s from OpenSSH",
            key_size(k), key_type(k),
            pw->pw_name, hostname);
keygen.c:504: 
do_convert_from_ssh2(struct passwd *pw, Key **k, int *private)


Step to reproduce:
ssh-keygen -t rsa -C "a pretty useful comment" -f mykey1
cat mykey1.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUeyrplNBmRK+1icSgoF/0eh6kqzd9n9+KgzqHPWaj[..]/juD3ww2YXlvPxVmJ83Pgg9bi1gLU9vef7L6rtJ5W/FvMgqISqWggBlLwE52foWXhlwXSjgwVX5OnCEphyYXSya1ykBKcQZO7TPNog8MJ a pretty useful comment
ssh-keygen -f mykey1.pub -e -m RFC4716 >mykey1-RFC4716.pub #do_convert_to_ssh2
cat mykey1-RFC4716.pub
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted by root@ks1111111.example.com from O"
AAAAB3NzaC1yc2EAAAADAQABAAABAQDUeyrplNBmRK+1icSgoF/0eh6kqzd9n9+KgzqHPW
[..]xVmJ83Pgg9bi1gLU9vef7L6rtJ5W/FvMgqISqWggBlLwE52foWXhlwXSjgwVX5OnCEphyY
XSya1ykBKcQZO7TPNog8MJ
---- END SSH2 PUBLIC KEY ----
ssh-keygen -i -m RFC4716 -f mykey1-RFC4716.pub #do_convert_from_ssh2
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUeyrplNBmRK+1icSgoF/0eh6kqzd9n9+KgzqHPWajG[..]/juD3ww2YXlvPxVmJ83Pgg9bi1gLU9vef7L6rtJ5W/FvMgqISqWggBlLwE52foWXhlwXSjgwVX5OnCEphyYXSya1ykBKcQZO7TPNog8MJ




Furthermore, in man page for AuthorizedKeysFile section, the comment field is not precisely indicated as an optional part:
Protocol 1 public keys is composed of the following
     space-separated fields: options, bits, exponent, modulus, comment.
Protocol 2 public key is composed of: 
     options, keytype, base64-encoded key, comment.
 The options field is optional; [...]  The bits, exponents, modulus, and comment fields give the RSA key for protocol version 1; the comment field is not used for anything (but may be convenient for the user to identify the key).
[...]An example authorized_keys file:
ssh-rsa AAAAB3Nza...LiPk== user@example.net 

In conclusion, some applications – like https://www.ovh.com/managerv5 http://howik.com/images/6/65/Img-2013-apr-24-033_2.jpg - will (erroneously, I supposed) be expected as mandatory concerning the field comment.
For example, this type of following key in some application generates a message like “SSH key format error “ because of missing comment:
ssh-rsa AAAAB3Nza...LiPk== 
And unfortunately, "ssh-keygen  -i -m RFC4716 -f mykey1-RFC4716.pub" forgets the key comment!

Thanks for reading
Comment 1 Oliver Ford 2020-03-22 04:47:40 AEDT 
Added patch for this: https://github.com/openssh/openssh-portable/pull/177