When adding multiple keys to an agent, ssh-add(1) does not print the comment for the first key (instead printing its path). Like so: ``` aaron@saiga ~ $ ssh-add -D All identities removed. aaron@saiga ~ $ ssh-add Enter passphrase for /home/aaron/.ssh/id_rsa: Identity added: /home/aaron/.ssh/id_rsa (/home/aaron/.ssh/id_rsa) Identity added: /home/aaron/.ssh/id_ed25519 (Aaron M. D. Jones <aaronmdjones@gmail.com>) aaron@saiga ~ $ ```
What's happening here is that the ed25519 key is a new-style OpenSSH format private key that contains the comment where ssh-add can easily get at it, and the RSA key is an olde-style PEM format that doesn't. We could in theory go looking for the comment in the private key's corresponding .pub file if it exists, but it complicates key loading considerably - we'd need to find the file, read and parse it and check that it matched the private key. I don't think we want to do this. You could try converting your RSA key to a new-style one while re-specifying the comment (ssh-keygen -opf /path -C "your comment"). The new key format offers better protection against passphrase cracking too.
I migrated all of my keys to the new format more than a year ago. Just incase I forgot one, though, I checked: aaron@saiga ~/.ssh $ head -n1 id_rsa -----BEGIN OPENSSH PRIVATE KEY----- But I tried anyway: aaron@saiga ~/.ssh $ ssh-keygen -a 128 -opf id_rsa -C "Aaron M. D. Jones <aaronmdjones@gmail.com>" Enter old passphrase: Key has comment 'Aaron M. D. Jones <aaronmdjones@gmail.com>' Enter new passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved with the new passphrase. aaron@saiga ~/.ssh $ head -n1 id_rsa -----BEGIN OPENSSH PRIVATE KEY----- And the problem persists: aaron@saiga ~/.ssh $ ssh-add -D All identities removed. aaron@saiga ~/.ssh $ ssh-add Enter passphrase for /home/aaron/.ssh/id_rsa: Identity added: /home/aaron/.ssh/id_rsa (/home/aaron/.ssh/id_rsa) Identity added: /home/aaron/.ssh/id_ed25519 (Aaron M. D. Jones <aaronmdjones@gmail.com>) Something else is going on.
I can't replicate that behaviour with either 7.2p2 or -current. If I create my RSA key as an old-style key I get output that matches yours. [djm@djm .ssh]$ ssh-keygen -t rsa -C comment -N '' -qf ~/.ssh/id_rsa [djm@djm .ssh]$ ssh-keygen -t ed25519 -C comment -N '' -qf ~/.ssh/id_ed25519 [djm@djm .ssh]$ ssh-add Identity added: /home/djm/.ssh/id_rsa (/home/djm/.ssh/id_rsa) Identity added: /home/djm/.ssh/id_ed25519 (comment) If I create it as a new-style key then I see the expected output: [djm@djm .ssh]$ ssh-add -D All identities removed. [djm@djm .ssh]$ ssh-keygen -ot rsa -C comment -N '' -qf ~/.ssh/id_rsa /home/djm/.ssh/id_rsa already exists. Overwrite (y/n)? y [djm@djm .ssh]$ ssh-add Identity added: /home/djm/.ssh/id_rsa (comment) Identity added: /home/djm/.ssh/id_ed25519 (comment) What version OpenSSH are you using? Did you compile from source or are you using a vendor package.
(In reply to Damien Miller from comment #3) > I can't replicate that behaviour with either 7.2p2 or -current. > > If I create my RSA key as an old-style key I get output that matches > yours. > > If I create it as a new-style key then I see the expected output: > > What version OpenSSH are you using? Did you compile from source or > are you using a vendor package. I have no idea what actual version I'm using because it was provided by my distributor (Linux Mint, Debian Edition, Cinnamon amd64, up-to-date) The version output is $ ssh -V OpenSSH_6.7p1 Debian-5+deb8u3, OpenSSL 1.0.1t 3 May 2016
Closing: whatever is going on, it doesn't seem to be going on with the current version.
Close all resolved bugs after release of OpenSSH 7.7.