44

I just noticed that most of the ssh pubkeys in my authorized_keys end on == or =

E.g.

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA9ZUwxXn2HZAAUswoaV8t2sQPvolVWDI053f0giNN154Zyi9FtWJKvyLHXoxW4IzFxgx+m6EYqXG/XCtfamLhwvGZv9FXkgQKeF6HJv/rjyKRBHPRyX0vV4S9uQU+xQV7f0Ock3urSzbUyoCgngA8Ax6AkYGmMTLLjx1HOBO/TJ477aysWt4IAg1gviT50I4xOYiHT4vC67czoDTnPl0UfKQJaM0+6WrneK7FJbd/8CAX7P7IxOhj1OxVbnEoh9FvecLbSDdOx/LF+kJcav/LThuoG7NR+Y+rS9lNkta3/KPi3IBMPum+bZpXJF7fkHl9Kx/iOMitT7KjNW/mty74xw== foo@bar

However today I saw a pubkey without an equal sign at the end. Also I noticed that the only place where an = ever occurs in a pubkey is at the end and never anywhere else.

Now I'm just curious as to what is the meaning of zero, one or two equal signs at the end of a pub key?

Lukas Loesche
  • 970
  • 1
  • 7
  • 11

1 Answers1

55

I believe there is no technical reason, it's merely an artifact of Base64 and the length of the string. Try it out with any base 64 encoder

1     -> MQ==     (1 characters, 2 equals)
12    -> MTI=     (2 characters, 1 equals)
123   -> MTIz     (3 characters, 0 equals)
1234  -> MTIzNA== (4 characters, 2 equals)
[repeat]

But I may be wrong about that

Smudge
  • 24,039
  • 15
  • 57
  • 76
  • 18
    + It's base64 encoding, nothing special about it. [Wikipedia article on Base64#Padding](http://en.wikipedia.org/wiki/Base64#Padding) – Chris S Feb 09 '12 at 13:37
  • 2
    Interesting that the relevant RFC http://www.ietf.org/rfc/rfc4716.txt doesn't mention this, which may suggest you are right. – dunxd Feb 09 '12 at 13:45
  • @dunxd I only scanned through that RFC but I believe that refers to the .pub file rather than the `authorized_keys` file, although I think the same situation applies. Since the key is binary data but the file must be text, Base64 solves that issue – Smudge Feb 09 '12 at 13:52
  • 5
    @dunxd: The RFC does say that it uses Base64 encoding, and reading about Base64 makes it clear that it pads the end with `=`. – Christoffer Hammarström Feb 09 '12 at 16:21
  • OpenSSH RSA/DSA keys are stored as *DER*-encoded *ASN.1* structures which are turned into text using Base64 (plus *PEM* framing for private keys). – yrk Mar 23 '12 at 14:51
  • 1
    Related: _[StackOverflow: Why does a base64 encoded string have an `=` sign at the end?](http://stackoverflow.com/q/6916805/617937)_ – IQAndreas Sep 16 '16 at 14:18