Allow users to have control over the PubKey comment, enabling the identification of keys

[pacoorozco]

Is your feature request related to a problem? Please describe.
Use the key name as public key comment, so users can identify a public key by the comment

Describe the solution you'd like
One comment in #346 raised the need to identify public keys with just seeing it on the remote server.

The idea would be to create the public key comment using a fixed part ssham- + <key name>.

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMvGJd4ZOE4FGRRjE845A6onBqJFyIqXmSWsQOWXxdss dt20038 phpseclib-generated-key

would be:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMvGJd4ZOE4FGRRjE845A6onBqJFyIqXmSWsQOWXxdss dt20038 ssham-paco.orozco

Describe alternatives you've considered
Add a new field to set the comment

[nemchik]

I would love to see imported keys retain the original comment supplied if the key is not blank. Prefixing the originally supplied comment with ssham- would also be fine. Newly created keys make sense to use the structure you are considering: ssham- + <key name>.

I also like the idea of a separate field to allow setting (and updating) the comment.

Another option could be to prefix keys as follows:

• ssham-imported- + <original comment> for an imported key
• ssham-generated- + <key name> for a key that was generated (new) in ssham

[pacoorozco]

Hi @nemchik

Originally, the way to match a key in the server and a key in ssham is by comparing (searching) the fingerprint. So, once you have the fingerprint of a public key in the server, you can easily find where it's coming from in ssham.

From your example, you would like to be able to get the ssham key that belongs to a comment`. Am I right?

How do you expect to use this comment?

[nemchik]

Sorry for the delayed response. By default, most versions of ssh-keygen will set the comment in the .pub file to be something along the lines of user@host where user is the logged in user who is running the ssh-keygen command and host is the machine name.

For advanced users, it's helpful to know which machine was used to generate the key, to keep track of which machine the key is expected to be used from. A reasonably good practice is to generate one key pair per system, so in my case, my laptop and my desktop each have their own key pair. When I review a system that I connect to, I can see the authorized_keys file and take note of the comments associated with the keys and make decisions about managing the keys (ex: removing a key from a machine that is no longer used).

The same would apply from an administrator standpoint, either where an admin is generating keys for users, or where users generate their own keys and only supply the admin with the public key. Having the comment is helpful to determine which machine the key was generated on, and which user the key is supposed to belong to at a glance when looking at a server's authorized_keys file.

Also, just for more context, I don't always expect the user who generated a key to have the same username as the user they are logging into the server as. For example, on my laptop my username might be nemchik but on a server I might be connecting as the user appservice1. That may not always be the case, and may not be the best practice (ex: maybe it's best for my user to be nemchik on the server and then I su to the other user accounts I need) but I imagine it to be a common use case.

[pacoorozco]

Hi @nemchik

The use case is clear and I think it makes a lot of sense, allowing an easier way to identify the SSH keys in the remote hosts.

Using ssham implies that the whole SSH management should be done via the same application (see Hybrid configration). So my proposal would be using the key name as comment when creating the authorized_keys file.

Currently, the key name is matched to a username concept, this is not right to follow the proposal.

This way the comment in the remote host will be the key name in the ssham application.

In order to achieve that some changes should be done:

• The key name should be modified to be plain strings (currently it only support "usernames").
• When importing keys, by default, the comment of the key would be the key name.
• When exporting keys, the comment of the key should be the key name.

What do you think?

[pacoorozco]

Hi @nemchik

I've just implemented your suggestion. Currently you are able to create Keys with a plain string name, this name will be used as key's comment in the authorized_keys file... so you will be able to know where the key is coming from.