Resident SSH key comments

[mattpascoe]

I'm not sure this is an openssh level issue or a libfido2/Yubikey layer issue. I've tested this on MacOS Sonoma and the compiled provider as referenced here #464. Additionally I have tried this on older MacOS variants using a brew installed version of openssl. The behavior is consistent in all cases. I've not tested on a Linux system but I'd suspect the same.

I'm trying to utilize the standard ssh-keygen -C comment to help identify my resident keys over time. I issue the following command to create my key:

ssh-keygen -t ed25519-sk -O resident -O application="ssh:commenttest" -C "a test comment" -f ~/.ssh/commenttest-sk

This creates my resident key in a fido slot called ssh:commenttest. Additionally it creates the ~/.ssh/commenttest-sk.pub file with the comment as provided in the -C option of ssh-keygen.

I intend to either load the key via ssh-add -K or extract it via ssh-keygen -K hoping that the comment is still intact.

When loading into the agent via ssh-add I get no comments at all which is less than ideal when I have several keys loaded in.

❯ ssh-add -l
256 SHA256:ZZZZZZZZZZZkP3PwVx3C8qkR5vEwLvUiieoKU A regular comment (ED25519)
256 SHA256:ZZZZZZhcvdNEIdUEWg40a74lv+rN4eighjXC8  (ED25519-SK)
256 SHA256:ZZZZZN5Bu4z8OBkZXc0dWkU2KD3biNZt1ymY4  (ED25519-SK)
256 SHA256:ZZZZZZ5vOwL4kVNGlxOfhf08xQpb7DXaNo2fc  (ED25519-SK)

When extracting via ssh-keygen I see that it uses the slot identifier as the comment in the .pub files. This at least helps identify the key but still loses whatever I may have placed in the comment.

❯ cat id_ed25519_sk_rk_commenttest.pub
[email protected] AAAAAZcuBX...MTIzNC1jb21tZW50dGVzdA== ssh:commenttest

I can at least get by with naming my slots in a way that is descriptive but it requires me still to extract the resident key/.pub to even see this and does not help at all in the agent side of things.

Again, I'm not exactly sure which layers may or may not be dealing with the comments in the ssh keys. I'm not entirely sure the comment is even in the private key stored on the Yubikey. I would hope for at least the slot name to be visible in the agent and exported .pub keys. Or possibly merge the slot name and the comment in some consistent way.

[LDVG]

While perhaps more of a question for OpenSSH -- no, the comment is not stored on the authenticator.

As an aside, storing arbitrary extra data along with a credential on an authenticator requires a CTAP 2.1 extension (credBlob) or optional feature (largeBlobs).