Daniel Kahn Gillmor
2014-Nov-04 14:57 UTC
ssh-add 6.7 inserts RSA keys into the ssh-agent as "rsa w/o comment" instead of filenames
Hi OpenSSH folks--
as of version 6.7 (the first version i noticed this in), it looks to me
like adding ssh keys to ssh-agent marks them all as "rsa w/o comment",
instead of putting the filename as the comment.
This appears to be because of the key function overhaul in
8668706d0f52654fe64c0ca41a96113aeab8d2b8.
ssh-add.c loads the secret keys via library-like invocations of
functions in sshkey.c, and if the comment returned is NULL, it sets the
comment to be the filename.
But in practice, these functions now return "rsa w/o comment" as the
comment, so the filename never gets applied as a comment.
Possible ways to fix:
* One fix would be to have the functions return a NULL for the comment.
* Another fix would be to have ssh-add just override the comment
explicitly.
* A third fix would be to pass a "proposed comment" into the
library-like call, which could be overridden by future versions if
they're aware of a superior comment after having parsed the key.
I also note that there is no way for a user of ssh-add to explicitly set
the comment directly -- adding something like that would be a distinct
feature, i think.
Regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141104/a4de9770/attachment.bin>
Damien Miller
2014-Nov-05 00:11 UTC
ssh-add 6.7 inserts RSA keys into the ssh-agent as "rsa w/o comment" instead of filenames
hmm, that's a regression - could you please file a bug for it? I'll try to fix it before the next release. On Tue, 4 Nov 2014, Daniel Kahn Gillmor wrote:> Hi OpenSSH folks-- > > as of version 6.7 (the first version i noticed this in), it looks to me > like adding ssh keys to ssh-agent marks them all as "rsa w/o comment", > instead of putting the filename as the comment. > > This appears to be because of the key function overhaul in > 8668706d0f52654fe64c0ca41a96113aeab8d2b8. > > ssh-add.c loads the secret keys via library-like invocations of > functions in sshkey.c, and if the comment returned is NULL, it sets the > comment to be the filename. > > But in practice, these functions now return "rsa w/o comment" as the > comment, so the filename never gets applied as a comment. > > Possible ways to fix: > > * One fix would be to have the functions return a NULL for the comment. > > * Another fix would be to have ssh-add just override the comment > explicitly. > > * A third fix would be to pass a "proposed comment" into the > library-like call, which could be overridden by future versions if > they're aware of a superior comment after having parsed the key. > > I also note that there is no way for a user of ssh-add to explicitly set > the comment directly -- adding something like that would be a distinct > feature, i think. > > Regards, > > --dkg >