1. Introduction

Numbers and coding schemes were always predominant in computer usage. Moreover, encryption only served to increase this trend by introducing personal keys in the form of long encoded sequences. Since humans can’t easily match such data to accounts, SSH key comments can serve as hints for the purpose.

In this tutorial, we look at SSH keys and ways to add or change key comments. First, we generate a pair of keys. Next, we look at public key comments and how to modify them. Finally, we explore private keys and ways to add or change their comments.

For brevity and security reasons, we only consider the newest iteration of SSH version 2 (SSHv2) as implemented by OpenSSH and PuTTY.

We tested the code in this tutorial on Debian 11 (Bullseye) with GNU Bash 5.1.4, OpenSSH 8.4p1, and PuTTY 0.77. It should work in most POSIX-compliant environments.

2. Key Generation

To begin with, we generate SSH keys with their defaults via both OpenSSH and PuTTY.

2.1. OpenSSH Keys

First, let’s generate our keys with ssh-keygen:

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/baeldung/.ssh/id_rsa):
Created directory '/home/baeldung/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/baeldung/.ssh/id_rsa
Your public key has been saved in /home/baeldung/.ssh/id_rsa.pub
The key fingerprint is:

Now, we have one set of two keys:

  • public key: /home/baeldung/.ssh/id_rsa.pub
  • private key: /home/baeldung/.ssh/id_rsa

Further, we add the public key to the authorized_keys file for our user with ssh-copy-id or directly:

$ ssh-copy-id baeldung@web
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/baeldung/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
baeldung@web's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'baeldung@web'"
and check to make sure that only the key(s) you wanted were added.
$ cat /home/baeldung/.ssh/id_rsa.pub >> /home/baeldung/.ssh/authorized_keys

In addition, we can create some PuTTY SSH keys.

2.2. PuTTY Keys

Let’s generate a key pair with puttygen:

$ puttygen -t rsa -o pg_id_rsa
Enter passphrase to save key:
Re-enter passphrase to verify:

Now, the contents of pg_id_rsa hold both the public and private keys in the .ppm format.

At this point, we can explore the files involved and see where we have comments.

3. Public Key Comments

To be sure, we use the public key formats of both OpenSSH and PuTTY to see where and how comments are placed.

3.1. OpenSSH Public Key

First, we can check the /home/baeldung/.ssh/authorized_keys file, which already includes the contents of our /home/baeldung/.ssh/id_rsa.pub:

$ cat /home/baeldung/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDBg[...]dCmK47BxWV48= baeldung@web

Here, ssh-rsa marks the key type as one for the RSA algorithm. After that, we have the actual key encoded in base64 until the next whitespace. Finally, the line ends with a free-text comment: baeldung@web, i.e., our username and hostname joined via @.

In essence, the assigned key comment is the part of the public key ($HOME/.ssh/*.pub) lines or in the authorized_keys file ($HOME/.ssh/authorized_keys) that sits after the key value and before the newline character.

Moreover, as usual, we can also add comments by starting a line with #. However, such comments are not associated with any key in particular.

3.2. PuTTY Public Key

Critically, neither of the above holds true for the default PuTTYgen public keys:

Comment: "baeldung@web"

In this case, the Comment field begins the assigned comment in quotes, and there is no mechanism for additional comments.

Still, no special tools are necessary to change public key comments in either case. Importantly, changes in comments around a public key file do not automatically affect other files with that key.

4. Private Key Comments

Unlike public ones, private keys must be very secure. Thus, they often include password protection to safeguard against malicious activity.

Because of this, we usually do need special tools to modify any part of a private key.

4.1. ssh-keygen

Indeed, we already used ssh-keygen to create our private key at /home/baeldung/.ssh/id_rsa. Yet, we can further employ the same tool to read and write private key comments:

$ ssh-keygen -c
Enter file in which the key is (/home/baeldung/.ssh/id_rsa):
Old comment: baeldung@web
New comment: Baeldung
Comment 'Baeldung' applied

Here, we use the -c flag to request a comment change. Consequently, ssh-keygen interactively guides us to enter the key file path, a passphrase (if any), and the new comment. Of course, we can also see the original comment before changing it. To interrupt, we can just use Ctrl+C.

To do the above in one seamless operation, we can combine several flags:

$ ssh-keygen -c -f /home/baeldung/.ssh/id_rsa -P 'PASSPHRASE' -C 'Automatic Baeldung'
Old comment: Baeldung
Comment 'Automatic Baeldung' applied

In this command, we just supply the file after the -f flag, the key passphrase (if any) after -P, and the new comment – after -C.

Notably, ssh-keygen -c changes the comments in both the public and private key local files.

4.2. puttygen

Of course, the pg_id_rsa file holds both our keys:

$ cat pg_id_rsa
PuTTY-User-Key-File-2: ssh-rsa
Encryption: none
Comment: rsa-key-20221010
Public-Lines: 6
Private-Lines: 14
Private-MAC: aecfb3750e28d698c0ae96666867ecd3f04c12fd

As we can see, the Comment field from earlier is present and directly editable. However, modifying any part of them by hand makes passphrase-protected keys unusable.

Because of this, we use puttygen to safely change the comments under all circumstances:

$ puttygen pg_id_rsa -C 'PG Automatic Baeldung'
$ cat pg_id_rsa
PuTTY-User-Key-File-2: ssh-rsa
Encryption: none
Comment: PG Automatic Baeldung

The change is in effect, and the key is still usable. If the key has a password, we get a simple Enter passphrase to load key prompt.

Naturally, all of these options are also available in the graphical version of PuTTYgen.

5. Summary

In this article, we delved into working with public and private key comments via both the OpenSSH and PuTTY toolsets.

In conclusion, while all comments can be changed, doing so in the proper manner is critical for their correct functioning.

Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.