What significance does the user/host at the end of an SSH public key file hold?

ssh ssh-keys ssh-keygen
41,423

Solution 1

This field is a comment, and can be changed or ignored at will. It is set to user@host by default by ssh-keygen.

The OpenSSH sshd(8) man page describes the format of a public key thus:

Public keys consist of the following space-separated fields: options, keytype, base64-encoded key, comment. . . . The comment field is not used for anything (but may be convenient for the user to identify the key).

The ssh-keygen(1) man page says:

The key comment may be useful to help identify the key. The comment is initialized to “user@host” when the key is created, but can be changed using the -c option.

Solution 2

This is briefly explained in manual page for sshd(8) in section about authorized keys:

Protocol 2 public key consist of: options, keytype, base64-encoded key, comment.

In openssh context of authorized keys, there is only meaning of comment. But there are SSH implementation, that give the meanings to this part, as for example SSH implementation in LANCOM modems is using this comment as a username for which the key is valid.

Solution 3

As others have pointed out, it's a comment to allow you to identify which key is which.

When looking at a single key in eg id_rsa.pub it doesn't make a great deal of difference but when looking at a potentially long list of keys, such as what you have in the authorized_keys file, it is very helpful to be able to easily identify which key is which.

Also, ssh-keygen's default is user@hostname, which for typical use-cases is a clear identifier of which key it is (user@domain would not be).

Solution 4

Very, very simple: Me and you are humans using a machine. So looking at this example you posted:

ssh-rsa [piles of gobbledygook]…CA9gyE8HRhNMG6ZDwyhPBbDfX root@mydomain

A machine can read this:

ssh-rsa [piles of gobbledygook]…CA9gyE8HRhNMG6ZDwyhPBbDfX

A human can read this comment:

root@mydomain

People tend to forget that even though things might look complicated on computer systems, they could actually be tons more complicated if the code was designed only for machine consumption. I mean look at obscured malware code. Once you decode it and format it, it’s human readable. But someone had to go out of their way to make it hard for humans to read.

By default all types of coding and configuration files on a computer system are structure for human consumption because… We are humans using machines and machines don’t need things like:

  • Comments.
  • Indentations.
  • Variables and functions written in a human readable language.

So the comment is meant for you and me and nobody else. It would most likely work without a comment. But that one time something is not working at 3:00am and you are hunting for the right public key, you’re going to wish/dream/pray the comment is there.

Share:
41,423

Related videos on Youtube

Basil A
Author by

Basil A

Its not my fault, its a SERVER FAULT! (.COM)

Updated on September 18, 2022

Comments

  • Basil A
    Basil A over 1 year

    I can’t figure out why does an SSH public key file generated by ssh-keygen have a user and host at the end of it.

    Example: id_rsa.pub

    ssh-rsa ... rest of file ... /CA9gyE8HRhNMG6ZDwyhPBbDfX root@mydomain

    Notice the root@mydomain at the end of the file.

    If I can use the public key anywhere with any user to authenticate using my private key, what significance does the root@mydomain have on the authentication process?

    Or is it just a place holder to figure our who was it issued by?

    • chicks
      chicks over 8 years
      I've seen some overzealous webforms that require the comment field include an @ symbol, but there isn't any technical reason for this.
  • mgarciaisaia
    mgarciaisaia over 8 years
    +1 for quoting the man
  • Basil A
    Basil A over 8 years
    Brief and to the point. Being able to change the comment at will solved the puzzle for me. I thought it had some kind of role in the ssh authentication process.
  • Michael Hampton
    Michael Hampton over 8 years
    @BasilA I have some keys where I have removed it entirely.
  • user
    user over 8 years
    "machines don’t need things like ... Indentations" cough Python cough
  • hBy2Py
    hBy2Py over 8 years
    @MichaelKjörling "... unless they are made to care about them." :-)
  • hBy2Py
    hBy2Py over 8 years
    When setting up SSH key login to an instance on Google Cloud Compute, GCC uses this comment field to identify the user name on the instance with which the key is to be associated.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

SSH as root using public key still prompts for password on RHEL 6.1
Turn off strict checking of ssh keys
How to get all fingerprints for .ssh/authorized_keys(2) file
How can I remove an SSH key?
ssh -T [email protected] Permission denied (publickey)
Not able to ssh to the server
Unable to SSH to Google Cloud
ssh key stops functioning after a while
Git looking for my SSH key in the wrong location
ansible ssh permission denied