openssh bugs - Dec 2013 - [Bug 2180] New: Improve the handling of the key comment field

https://bugzilla.mindrot.org/show_bug.cgi?id=2180

            Bug ID: 2180
           Summary: Improve the handling of the key comment field
           Product: Portable OpenSSH
           Version: 6.4p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: 4.l.e.x.1.1.s+mindrotopenbsd at gmail.com

Hello,

As you probably know, the comment header:
- is not exported when "ssh-keygen -e" is used to export a public key
into an PEM|PKCS8|RFC4716 file format (a new key comment is created)
- is not handled when "ssh-keygen -i" is imported from
PEM|PKCS8|RFC4716 file to Openssh internal format (the key comment
field is missing).

Thus, it should be interesting that "ssh-keygen -e" exports the
initial
comment and "ssh-keygen -i" generates an output with the key comment
indicated in key file.


ssh-keygen.c:
http://www.openssh.com/cgi-bin/cvsweb/src/usr.bin/ssh/ssh-keygen.c 
ssh-keygen.c:259:
do_convert_to_ssh2(struct passwd *pw, Key *k)
[...]/* Comment + surrounds must fit into 72 chars (RFC 4716 sec 3.3)
*/
        snprintf(comment, sizeof(comment),
            "%u-bit %s, converted by %s@%s from OpenSSH",
            key_size(k), key_type(k),
            pw->pw_name, hostname);
keygen.c:504: 
do_convert_from_ssh2(struct passwd *pw, Key **k, int *private)


Step to reproduce:
ssh-keygen -t rsa -C "a pretty useful comment" -f mykey1
cat mykey1.pub
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDUeyrplNBmRK+1icSgoF/0eh6kqzd9n9+KgzqHPWaj[..]/juD3ww2YXlvPxVmJ83Pgg9bi1gLU9vef7L6rtJ5W/FvMgqISqWggBlLwE52foWXhlwXSjgwVX5OnCEphyYXSya1ykBKcQZO7TPNog8MJ
a pretty useful comment
ssh-keygen -f mykey1.pub -e -m RFC4716 >mykey1-RFC4716.pub
#do_convert_to_ssh2
cat mykey1-RFC4716.pub
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted by root at ks1111111.example.com from
O"
AAAAB3NzaC1yc2EAAAADAQABAAABAQDUeyrplNBmRK+1icSgoF/0eh6kqzd9n9+KgzqHPW
[..]xVmJ83Pgg9bi1gLU9vef7L6rtJ5W/FvMgqISqWggBlLwE52foWXhlwXSjgwVX5OnCEphyY
XSya1ykBKcQZO7TPNog8MJ
---- END SSH2 PUBLIC KEY ----
ssh-keygen -i -m RFC4716 -f mykey1-RFC4716.pub #do_convert_from_ssh2
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDUeyrplNBmRK+1icSgoF/0eh6kqzd9n9+KgzqHPWajG[..]/juD3ww2YXlvPxVmJ83Pgg9bi1gLU9vef7L6rtJ5W/FvMgqISqWggBlLwE52foWXhlwXSjgwVX5OnCEphyYXSya1ykBKcQZO7TPNog8MJ




Furthermore, in man page for AuthorizedKeysFile section, the comment
field is not precisely indicated as an optional part:
Protocol 1 public keys is composed of the following
     space-separated fields: options, bits, exponent, modulus, comment.
Protocol 2 public key is composed of: 
     options, keytype, base64-encoded key, comment.
 The options field is optional; [...]  The bits, exponents, modulus,
and comment fields give the RSA key for protocol version 1; the comment
field is not used for anything (but may be convenient for the user to
identify the key).
[...]An example authorized_keys file:
ssh-rsa AAAAB3Nza...LiPk== user at example.net 

In conclusion, some applications ? like https://www.ovh.com/managerv5
http://howik.com/images/6/65/Img-2013-apr-24-033_2.jpg - will
(erroneously, I supposed) be expected as mandatory concerning the field
comment.
For example, this type of following key in some application generates a
message like ?SSH key format error ? because of missing comment:
ssh-rsa AAAAB3Nza...LiPk== 
And unfortunately, "ssh-keygen  -i -m RFC4716 -f mykey1-RFC4716.pub"
forgets the key comment!

Thanks for reading

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2180

Oliver Ford <ojford at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned-bugs at mindrot.org |ojford at gmail.com
                 CC|                            |ojford at gmail.com
             Status|NEW                         |ASSIGNED

--- Comment #1 from Oliver Ford <ojford at gmail.com> ---
Added patch for this:
https://github.com/openssh/openssh-portable/pull/177

-- 
You are receiving this mail because:
You are watching the assignee of the bug.