bugzilla-daemon at mindrot.org
2013-Dec-09 23:15 UTC
[Bug 2180] New: Improve the handling of the key comment field
https://bugzilla.mindrot.org/show_bug.cgi?id=2180 Bug ID: 2180 Summary: Improve the handling of the key comment field Product: Portable OpenSSH Version: 6.4p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh-keygen Assignee: unassigned-bugs at mindrot.org Reporter: 4.l.e.x.1.1.s+mindrotopenbsd at gmail.com Hello, As you probably know, the comment header: - is not exported when "ssh-keygen -e" is used to export a public key into an PEM|PKCS8|RFC4716 file format (a new key comment is created) - is not handled when "ssh-keygen -i" is imported from PEM|PKCS8|RFC4716 file to Openssh internal format (the key comment field is missing). Thus, it should be interesting that "ssh-keygen -e" exports the initial comment and "ssh-keygen -i" generates an output with the key comment indicated in key file. ssh-keygen.c: http://www.openssh.com/cgi-bin/cvsweb/src/usr.bin/ssh/ssh-keygen.c ssh-keygen.c:259: do_convert_to_ssh2(struct passwd *pw, Key *k) [...]/* Comment + surrounds must fit into 72 chars (RFC 4716 sec 3.3) */ snprintf(comment, sizeof(comment), "%u-bit %s, converted by %s@%s from OpenSSH", key_size(k), key_type(k), pw->pw_name, hostname); keygen.c:504: do_convert_from_ssh2(struct passwd *pw, Key **k, int *private) Step to reproduce: ssh-keygen -t rsa -C "a pretty useful comment" -f mykey1 cat mykey1.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUeyrplNBmRK+1icSgoF/0eh6kqzd9n9+KgzqHPWaj[..]/juD3ww2YXlvPxVmJ83Pgg9bi1gLU9vef7L6rtJ5W/FvMgqISqWggBlLwE52foWXhlwXSjgwVX5OnCEphyYXSya1ykBKcQZO7TPNog8MJ a pretty useful comment ssh-keygen -f mykey1.pub -e -m RFC4716 >mykey1-RFC4716.pub #do_convert_to_ssh2 cat mykey1-RFC4716.pub ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "2048-bit RSA, converted by root at ks1111111.example.com from O" AAAAB3NzaC1yc2EAAAADAQABAAABAQDUeyrplNBmRK+1icSgoF/0eh6kqzd9n9+KgzqHPW [..]xVmJ83Pgg9bi1gLU9vef7L6rtJ5W/FvMgqISqWggBlLwE52foWXhlwXSjgwVX5OnCEphyY XSya1ykBKcQZO7TPNog8MJ ---- END SSH2 PUBLIC KEY ---- ssh-keygen -i -m RFC4716 -f mykey1-RFC4716.pub #do_convert_from_ssh2 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUeyrplNBmRK+1icSgoF/0eh6kqzd9n9+KgzqHPWajG[..]/juD3ww2YXlvPxVmJ83Pgg9bi1gLU9vef7L6rtJ5W/FvMgqISqWggBlLwE52foWXhlwXSjgwVX5OnCEphyYXSya1ykBKcQZO7TPNog8MJ Furthermore, in man page for AuthorizedKeysFile section, the comment field is not precisely indicated as an optional part: Protocol 1 public keys is composed of the following space-separated fields: options, bits, exponent, modulus, comment. Protocol 2 public key is composed of: options, keytype, base64-encoded key, comment. The options field is optional; [...] The bits, exponents, modulus, and comment fields give the RSA key for protocol version 1; the comment field is not used for anything (but may be convenient for the user to identify the key). [...]An example authorized_keys file: ssh-rsa AAAAB3Nza...LiPk== user at example.net In conclusion, some applications ? like https://www.ovh.com/managerv5 http://howik.com/images/6/65/Img-2013-apr-24-033_2.jpg - will (erroneously, I supposed) be expected as mandatory concerning the field comment. For example, this type of following key in some application generates a message like ?SSH key format error ? because of missing comment: ssh-rsa AAAAB3Nza...LiPk== And unfortunately, "ssh-keygen -i -m RFC4716 -f mykey1-RFC4716.pub" forgets the key comment! Thanks for reading -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Mar-21 17:47 UTC
[Bug 2180] Improve the handling of the key comment field
https://bugzilla.mindrot.org/show_bug.cgi?id=2180 Oliver Ford <ojford at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|unassigned-bugs at mindrot.org |ojford at gmail.com CC| |ojford at gmail.com Status|NEW |ASSIGNED --- Comment #1 from Oliver Ford <ojford at gmail.com> --- Added patch for this: https://github.com/openssh/openssh-portable/pull/177 -- You are receiving this mail because: You are watching the assignee of the bug.
Seemingly Similar Threads
- [Bug 2570] New: ssh-keygen -p will convert openssh-format keyfiles back to pem, improperly?
- Use multiple cores on Linux
- [Bug 1085] New: No warning for weird interface characters if interface contains wildcard character
- [Bug 905] New: Please support passing a filename to iptables-save
- [Bug 1152] New: iptables-xml crashed on -D rules