Authorized key comments
Because an authorized_keys file usually contains key material for multiple keys, SSH administrators often add a comment after the key material so they can easily track information about the key. For example, you might want to know who the key belongs to, or for what purpose it was added to the authorized_keys file. This will help you audit the file to remove keys when they are no longer needed.
SSH Protect considers everything after the first space after the key material to be a comment.
For example, here is a keyset newly generated by PuTTYGen.
Notice the Key comment field. That same data, rsa-key-20200618 was added after the key material, separated by a space. A comment can contain multiple spaces. For example, we can add the key owner's email address after the previous comment:
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQBtDTrI1Yj10v2ISPv2FNZAdrd1j/4ZDvK2Sg3RYrCx2Q3RfTl3wRMkZX+
U7skbYuqNexBWjZfTOuYXs6J9/AM1Tcel7T9ZAJdJaaRznWUgYLQqpWqTytC5l8owNf6uuVU9MVN1R0AIFqmN4XxhCR
GTZhGkwO1bY+A/OgYyBRedsuUuHv5WQ1bN4TwmuUznXH80IQJpK7FtnGek2H4mOlI7SbsyrDEeADLZN7Sn+lD0qUb+a
ES/QU0n9tqJlysDn8mtxf+YFyiNOIYnlM0fmjndC7Jngi7WN38+1VRP+uI3Hy68C7wyNXzoOTHz6mNHZLQsQ2GRejlX
qJb2mNopUCB3 rsa-key-20200618 paulp@example.com
SSH Protect uses key comments in two ways:
- You can filter the SSH Inventory by comment.
- The Authorized Keys tab on the SSH keyset details page shows the comment.
TIP The key comment feature was introduced in 20.2. Any SSH keys that were discovered prior to your upgrade to 20.2 (or later, if you skip the 20.2 release) will not include the comment data. For efficiency, the Discovery process only sends changed data on subsequent Discovery runs. However, you can perform a full discovery by modifying your Work Settings to include a One Time Full Scan. The next time the work runs, all discovery data (including any key comments) will be sent back to SSH Protect. For more information, see Setting up SSH discovery work for Server Agents.