SSH Key Comments and Adding a Comment to an Existing Key

Last updated: March 18, 2024

Reviewed by: Michal Aibin

1. Introduction

Numbers and coding schemes were always predominant in computer usage. Moreover, encryption only served to increase this trend by introducing personal keys in the form of long encoded sequences. Since humans can’t easily match such data to accounts, SSH key comments can serve as hints for the purpose.

In this tutorial, we look at SSH keys and ways to add or change key comments. First, we generate a pair of keys. Next, we look at public key comments and how to modify them. Finally, we explore private keys and ways to add or change their comments.

For brevity and security reasons, we only consider the newest iteration of SSH version 2 (SSHv2) as implemented by OpenSSH and PuTTY.

We tested the code in this tutorial on Debian 11 (Bullseye) with GNU Bash 5.1.4, OpenSSH 8.4p1, and PuTTY 0.77. It should work in most POSIX-compliant environments.

2. Key Generation

To begin with, we generate SSH keys with their defaults via both OpenSSH and PuTTY.

2.1. OpenSSH Keys

First, let’s generate our keys with ssh-keygen:

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/baeldung/.ssh/id_rsa):
Created directory '/home/baeldung/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/baeldung/.ssh/id_rsa
Your public key has been saved in /home/baeldung/.ssh/id_rsa.pub
The key fingerprint is:
[...]

Now, we have one set of two keys:

  • public key: /home/baeldung/.ssh/id_rsa.pub
  • private key: /home/baeldung/.ssh/id_rsa

Further, we add the public key to the authorized_keys file for our user with ssh-copy-id or directly:

$ ssh-copy-id baeldung@web
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/baeldung/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
baeldung@web's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'baeldung@web'"
and check to make sure that only the key(s) you wanted were added.
$ cat /home/baeldung/.ssh/id_rsa.pub >> /home/baeldung/.ssh/authorized_keys

In addition, we can create some PuTTY SSH keys.

2.2. PuTTY Keys

Let’s generate a key pair with puttygen:

$ puttygen -t rsa -o pg_id_rsa
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++
Enter passphrase to save key:
Re-enter passphrase to verify:

Now, the contents of pg_id_rsa hold both the public and private keys in the .ppm format.

At this point, we can explore the files involved and see where we have comments.

3. Public Key Comments

To be sure, we use the public key formats of both OpenSSH and PuTTY to see where and how comments are placed.

3.1. OpenSSH Public Key

First, we can check the /home/baeldung/.ssh/authorized_keys file, which already includes the contents of our /home/baeldung/.ssh/id_rsa.pub:

$ cat /home/baeldung/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDBg[...]dCmK47BxWV48= baeldung@web

Here, ssh-rsa marks the key type as one for the RSA algorithm. After that, we have the actual key encoded in base64 until the next whitespace. Finally, the line ends with a free-text comment: baeldung@web, i.e., our username and hostname joined via @.

In essence, the assigned key comment is the part of the public key ($HOME/.ssh/*.pub) lines or in the authorized_keys file ($HOME/.ssh/authorized_keys) that sits after the key value and before the newline character.

Moreover, as usual, we can also add comments by starting a line with #. However, such comments are not associated with any key in particular.

3.2. PuTTY Public Key

Critically, neither of the above holds true for the default PuTTYgen public keys:

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "baeldung@web"
AAAAB3NzaC1yc2EAAAADAQABAAABgQDBgHTwNM/mOpBjkTfM5Z+SZa5hXux5Y4dG
kiHt1V7QGjYg4ErPsyrOFSvPuf8yFwn6xn/p8zb6FSHqF7jUCNA0skObXaMreY7z
rnqLB6k+LVuqj2mkHVdXLpsOElV8nHmkE864V7gLht8uyx4aTB2KzUsm8nBr67VG
a7JAhIsKQhGtq4rNsPXXPzomTcxgiO8/gSApYob0DfPPHShCyFotEepQ2rEli6JG
psEddLZOYyTw5AgY0LUk2FNBPB2dOgK25K9LiAz8ATp/XRyshbTttHH3qyc2cgqj
zyeDSJjOoDeW496WVOdcJfGv4TLjEc/8SW0IVx5XGrrorSALR/S4rLxIuNQqycQQ
mDbrx40QdZh4zSkeC8PNnFXVVlm9EyK7sBxLqUfEc00kn/IkuEDTS1zAZWmqwt+W
vyK9NLuuOcobnWsiUJmyMD9/CuUWhHOGbhIjCdOdJ8TjGX5DipU+LLmM8ZJFGnGK
TrTEg1PVNelMLw4PfrqdCmK47BxWV48=
---- END SSH2 PUBLIC KEY ----

In this case, the Comment field begins the assigned comment in quotes, and there is no mechanism for additional comments.

Still, no special tools are necessary to change public key comments in either case. Importantly, changes in comments around a public key file do not automatically affect other files with that key.

4. Private Key Comments

Unlike public ones, private keys must be very secure. Thus, they often include password protection to safeguard against malicious activity.

Because of this, we usually do need special tools to modify any part of a private key.

4.1. ssh-keygen

Indeed, we already used ssh-keygen to create our private key at /home/baeldung/.ssh/id_rsa. Yet, we can further employ the same tool to read and write private key comments:

$ ssh-keygen -c
Enter file in which the key is (/home/baeldung/.ssh/id_rsa):
Old comment: baeldung@web
New comment: Baeldung
Comment 'Baeldung' applied

Here, we use the -c flag to request a comment change. Consequently, ssh-keygen interactively guides us to enter the key file path, a passphrase (if any), and the new comment. Of course, we can also see the original comment before changing it. To interrupt, we can just use Ctrl+C.

To do the above in one seamless operation, we can combine several flags:

$ ssh-keygen -c -f /home/baeldung/.ssh/id_rsa -P 'PASSPHRASE' -C 'Automatic Baeldung'
Old comment: Baeldung
Comment 'Automatic Baeldung' applied

In this command, we just supply the file after the -f flag, the key passphrase (if any) after -P, and the new comment – after -C.

Notably, ssh-keygen -c changes the comments in both the public and private key local files.

4.2. puttygen

Of course, the pg_id_rsa file holds both our keys:

$ cat pg_id_rsa
PuTTY-User-Key-File-2: ssh-rsa
Encryption: none
Comment: rsa-key-20221010
Public-Lines: 6
AAAAB3NzaC1yc2EAAAABJQAAAQEAmNv8wpJAo8gF5Wx6ZUtn8FzOoqBjJdo77oyz
rBLrz5rVXxPaPuO6AllQW3NNYoHDb/bEvnMH76AlUvJLp2oUNSEAlNVxbRriHFsa
Mrad8EDtQjViHnzjghLuUqgJM5nmtNzDEFTt5rEfw933dkyq1Lm+6i8db+Uqf+yh
wY5uTLy1D1iKJXgOGZQAKrzE+4tMQJrNf6ZOBKfADYzbpqt+iC5u0GtRzLy6PVUY
DD4KChgLnpvzmPkudAsOBeAOS4mMWOzjuNsOP/f3C/aky1F5aI/MELSJkjSM+jl6
7HxDuDdk90qiwXNASvtZUqDkG1rQ2OX2r8OVogwniFceCv9IDQ==
Private-Lines: 14
AAABAHfPBGEmhbDNNQ3DueCwuT/aCb27+q73KA3/k744V/W+i4+1nTg18qflI06Y
pG/NfYFE32TWszFvro0exay67T5l+YlpBd/ko2JVPgwSl3ceIb5FhEFozf4qg3E3
mIJj3lZn1yh56uU+uAg4WixJ7a2mV12ajLGlx11YmnUcm6PsmnhN75DYbuDxrCj0
Y/A0kGIdbg4GVw/u04QZAVTCQkDnhh6b4qfZMI4/v4roo5YF0R+XM9SWdieAKOyG
k9M9u8iOsdrj4GKNNnvyfsNhe4DMqgbKLIHiGa156/ms01KaCvqJ+rnK1Ak8/NPU
edotg2YcObtiNldrGuN5xTmc2Y0AAACBAP0TqLP+9UeJgochG+zUG0X99sn9EBws
tnuqJrsbQmUwwb8lIrHA6KT2CoVWERVkPkfr1skh1l6T8kwbSMj4wU5ocKilFNOs
EE/fyKMqhwODbx1wEk9AyFDOKXWQxBtpXnLQyIkQyxKTC3nJSoiptTMBrHRhzREv
ixCPhvL4LfhZAAAAgQCan/zz8h8wRO7Jhe1zIRtODBSIwCQssfWF+KdTz9Ja4U4f
CKUMGzG82Gv/buDUfILlBg0UeY77VWxqZIp3EE1XLmURib34+68SNcOmhDOah2sB
1cOXmg34GcPp8QfLPbwh766/UNpc+5k73CzIzgpxx7RkyNF86HzaLtyHt6gW1QAA
AIApddk08Sdz2MqqpzbAR+Ev+k6df0R/Kt+OB2L0MAPueRR1pd9XeTzrdYl1HoUX
xvkfx56zqphUtMM0FiDLxtpDvgK1tkHJBtDEQHRWc51+Us1Zol+8AcsPzm4CZ3oQ
0UnT7L+M7aqX4H+Ub+2b7aVDnv2eXZ1UxIBiitdQ4Aq/Dw==
Private-MAC: aecfb3750e28d698c0ae96666867ecd3f04c12fd

As we can see, the Comment field from earlier is present and directly editable. However, modifying any part of them by hand makes passphrase-protected keys unusable.

Because of this, we use puttygen to safely change the comments under all circumstances:

$ puttygen pg_id_rsa -C 'PG Automatic Baeldung'
$ cat pg_id_rsa
PuTTY-User-Key-File-2: ssh-rsa
Encryption: none
Comment: PG Automatic Baeldung
[...]

The change is in effect, and the key is still usable. If the key has a password, we get a simple Enter passphrase to load key prompt.

Naturally, all of these options are also available in the graphical version of PuTTYgen.

5. Summary

In this article, we delved into working with public and private key comments via both the OpenSSH and PuTTY toolsets.

In conclusion, while all comments can be changed, doing so in the proper manner is critical for their correct functioning.

Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.