openssh bugs - Jan 2017 - [Bug 2667] New: ssh-add does not display key comments for the first key added

https://bugzilla.mindrot.org/show_bug.cgi?id=2667

            Bug ID: 2667
           Summary: ssh-add does not display key comments for the first
                    key added
           Product: Portable OpenSSH
           Version: -current
          Hardware: All
                OS: All
            Status: NEW
          Severity: minor
          Priority: P5
         Component: ssh-add
          Assignee: unassigned-bugs at mindrot.org
          Reporter: aaronmdjones at gmail.com

When adding multiple keys to an agent, ssh-add(1) does not print the
comment for the first key (instead printing its path).

Like so:

```
aaron at saiga ~ $ ssh-add -D
All identities removed.

aaron at saiga ~ $ ssh-add
Enter passphrase for /home/aaron/.ssh/id_rsa: 
Identity added: /home/aaron/.ssh/id_rsa (/home/aaron/.ssh/id_rsa)
Identity added: /home/aaron/.ssh/id_ed25519 (Aaron M. D. Jones
<aaronmdjones at gmail.com>)

aaron at saiga ~ $ 
```

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2667

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Status|NEW                         |RESOLVED
         Resolution|---                         |WONTFIX

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
What's happening here is that the ed25519 key is a new-style OpenSSH
format private key that contains the comment where ssh-add can easily
get at it, and the RSA key is an olde-style PEM format that doesn't.

We could in theory go looking for the comment in the private key's
corresponding .pub file if it exists, but it complicates key loading
considerably - we'd need to find the file, read and parse it and check
that it matched the private key. I don't think we want to do this.

You could try converting your RSA key to a new-style one while
re-specifying the comment (ssh-keygen -opf /path -C "your comment").
The new key format offers better protection against passphrase cracking
too.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2667

Aaron Jones <aaronmdjones at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|WONTFIX                     |---

--- Comment #2 from Aaron Jones <aaronmdjones at gmail.com> ---
I migrated all of my keys to the new format more than a year ago.

Just incase I forgot one, though, I checked:

aaron at saiga ~/.ssh $ head -n1 id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----



But I tried anyway:

aaron at saiga ~/.ssh $ ssh-keygen -a 128 -opf id_rsa -C "Aaron M. D.
Jones <aaronmdjones at gmail.com>"
Enter old passphrase: 
Key has comment 'Aaron M. D. Jones <aaronmdjones at gmail.com>'
Enter new passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved with the new passphrase.

aaron at saiga ~/.ssh $ head -n1 id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----



And the problem persists:

aaron at saiga ~/.ssh $ ssh-add -D
All identities removed.

aaron at saiga ~/.ssh $ ssh-add
Enter passphrase for /home/aaron/.ssh/id_rsa: 
Identity added: /home/aaron/.ssh/id_rsa (/home/aaron/.ssh/id_rsa)
Identity added: /home/aaron/.ssh/id_ed25519 (Aaron M. D. Jones
<aaronmdjones at gmail.com>)



Something else is going on.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2667

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
I can't replicate that behaviour with either 7.2p2 or -current.

If I create my RSA key as an old-style key I get output that matches
yours.

[djm at djm .ssh]$ ssh-keygen -t rsa -C comment -N '' -qf ~/.ssh/id_rsa
[djm at djm .ssh]$ ssh-keygen -t ed25519 -C comment -N '' -qf
~/.ssh/id_ed25519
[djm at djm .ssh]$ ssh-add
Identity added: /home/djm/.ssh/id_rsa (/home/djm/.ssh/id_rsa)
Identity added: /home/djm/.ssh/id_ed25519 (comment)

If I create it as a new-style key then I see the expected output:

[djm at djm .ssh]$ ssh-add -D
All identities removed.
[djm at djm .ssh]$ ssh-keygen -ot rsa -C comment -N '' -qf ~/.ssh/id_rsa
/home/djm/.ssh/id_rsa already exists.
Overwrite (y/n)? y
[djm at djm .ssh]$ ssh-add 
Identity added: /home/djm/.ssh/id_rsa (comment)
Identity added: /home/djm/.ssh/id_ed25519 (comment)

What version OpenSSH are you using? Did you compile from source or are
you using a vendor package.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2667

--- Comment #4 from Aaron Jones <aaronmdjones at gmail.com> ---
(In reply to Damien Miller from comment #3)
> I can't replicate that behaviour with either 7.2p2 or -current.
> 
> If I create my RSA key as an old-style key I get output that matches
> yours.
> 
> If I create it as a new-style key then I see the expected output:
> 
> What version OpenSSH are you using? Did you compile from source or
> are you using a vendor package.
I have no idea what actual version I'm using because it was provided by
my distributor (Linux Mint, Debian Edition, Cinnamon amd64, up-to-date)

The version output is

$ ssh -V
OpenSSH_6.7p1 Debian-5+deb8u3, OpenSSL 1.0.1t 3 May 2016

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2667

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|---                         |WORKSFORME

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
Closing: whatever is going on, it doesn't seem to be going on with the
current version.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2667

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after release of OpenSSH 7.7.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.