I cannot make much sense of how SSH agent refers to the keys it is using.
I have four SSH keys with the following comments:
$ tail -n +1 *.pub
==> github_id_ed25519.pub <==
ssh-ed25519 ... mygithubusername@myhost
==> id_ecdsa.pub <==
ecdsa-sha2-nistp521 ... me@myhost
==> id_ed25519.pub <==
ssh-ed25519 ... me@myhost
==> id_rsa.pub <==
ssh-rsa ... me@myhost
I add these keys to the SSH agent (with the confirmation -c option):
$ ssh-add -c github_id_ed25519 id_ecdsa id_ed25519 id_rsa
Enter passphrase for github_id_ed25519 (will confirm each use):
Identity added: github_id_ed25519 (mygithubusername)
The user must confirm each use of the key
Identity added: id_ecdsa (id_ecdsa)
The user must confirm each use of the key
Identity added: id_ed25519 (me@myhost)
The user must confirm each use of the key
Identity added: id_rsa (id_rsa)
The user must confirm each use of the key
I list all added keys:
$ ssh-add -l
256 SHA256:... mygithubusername (ED25519)
521 SHA256:... id_ecdsa (ECDSA)
256 SHA256:... me@myhost (ED25519)
4096 SHA256:... id_rsa (RSA)
From where does SSH agent get the names it uses to refer to the keys?
It seems to use:
- full comment in the keyfile (for one key)
- some parts of the comment in the keyfile (for one key)
- filename of the keyfile (for two keys)
Very hard to make any sense of this. Using the filename of the key would be the most straight-forward but now it's just a mess. Currently every time I login with SSH and I get the confirmation dialog it is not easy to figure out which key it is actually trying to use.
Best Answer
ssh-addattempts to read the comment in the private key file. If it fails, it uses the filename as a comment for further prompts:From ssh-add.c:add_file() :
I'd suspect that any identities using the filename as the comment had no comment originally saved with the key, even if one was manually edited in to the public key file at a later date. The
ssh-keygenmanual page implies that there is no way to change or add a comment in the private key file on any non-deprecated key formats: