osdf-devteam team mailing list archive

[Sam Hart <criswellious@xxxxxxxxx>]

On Mon, Dec 13, 2010 at 6:35 AM, Toast McFarland <daimoneze@xxxxxxxxx> wrote:
> I've noticed when you generate an SSH key, the program will place a comment
> at the end of the key file in the form username@machinename. Launchpad will
> print this comment in your user profile, so anyone that accesses your lp
> profile will know your username if you happen to have saved a key there.
>
> I recommend opening the public key file and changing your username to
> something else.

Yes, according to the man page:
  * http://www.manpagez.com/man/1/ssh-keygen/

That's the comment field. If you're invoking ssh-keygen from a
command-line somewhere, you can actually set that to whatever you want
by hand by specifying '-c' as well. So you're free to set it to
whatever you want. Some people set it *just* to their name.

Also, this is only a real threat if your 'machinename' is publicly
accessible (e.g., not firewalled behind something like say a NAT or a
router) and routable. For example, *one* of my ssh keys might be
tagged 'sam@rygel', but that's for my laptop which floats from network
to network and is never identified as 'rygel' anywhere..

I'd imagine if you were running Windows and this '@machinename' was
also your NetBIOS name this could be a bigger concern. (As that might
be broadcast on networks you join).

                                      ---Sam