Most active commenters
  • flir(3)

←back to thread

Sign arbitrary data with your SSH keys

(www.agwa.name)
637 points h1x | 12 comments | 13 Nov 21 09:13 UTC | HN request time: 0.002s | source | bottom
Show context
pizza ◴[13 Nov 21 10:03 UTC] No.29208734[source]
I get that they're "public" keys, but I was surprised to learn (and from somebody other than github themselves) that ssh public keys are just available at that github.com/username.keys URL (without there being an option to disable it, it seems?). Did most people already know that? Probably fine but just surprised. Just tried searching their authentication docs [0] and I don't get any results for "public key url" either

https://docs.github.com/en/authentication?query=public+key+u...

replies(26): >>29208748 #>>29208752 #>>29208754 #>>29208768 #>>29208790 #>>29208806 #>>29208828 #>>29208856 #>>29208877 #>>29208909 #>>29208990 #>>29209073 #>>29209103 #>>29209113 #>>29209243 #>>29209399 #>>29209634 #>>29210045 #>>29210085 #>>29210460 #>>29211355 #>>29211357 #>>29211783 #>>29212241 #>>29212499 #>>29213083 #
throwaway894345 ◴[13 Nov 21 11:09 UTC] No.29208990[source]
Even cooler, you can tell cloud-init to download your SSH keys from GitHub and drop them in the user's ~/.ssh/authorized_keys. Something like this IIRC:

    users:
      - name: foo
        ssh_authorized_keys: [gh:foo]
replies(1): >>29209262 #
1. flir ◴[13 Nov 21 12:19 UTC] No.29209262{3}[source]
That was sarcasm, right? (Genuine question). 'cos that sounds like a bad idea to me, and if it's not a bad idea, I'd like to understand why.

Doesn't doing this mean you trust github implicitly?

replies(3): >>29209285 #>>29209671 #>>29210224 #
2. throwaway894345 ◴[13 Nov 21 12:24 UTC] No.29209285[source]
It's not sarcasm. I only use this for hobby projects and I already put my source code and various secrets on GitHub so they could pwn my blog if they really wanted to whether or not I pull public keys from GH or bake them into my user-data.
replies(1): >>29209333 #
3. Gargyle ◴[13 Nov 21 12:35 UTC] No.29209333[source]
Then this is bad advice in general because its specific to a low trust expectation. Would be sensible to note that in your comment.
replies(1): >>29209594 #
4. keeganpoppen ◴[13 Nov 21 13:37 UTC] No.29209594{3}[source]
it's not advice at all. they are just saying you can do it.
replies(1): >>29210066 #
5. drran ◴[13 Nov 21 13:47 UTC] No.29209671[source]
GitHub can alter the CODE. Why it should play with just a key? If GitHub wants to pwn the whole world, it can do it right now.
replies(2): >>29209873 #>>29209976 #
6. flir ◴[13 Nov 21 14:17 UTC] No.29209873[source]
Can't argue with that, except to say "because it's bad, lets make it worse" doesn't feel like a good rule of thumb.
replies(1): >>29210322 #
7. fortran77 ◴[13 Nov 21 14:32 UTC] No.29209976[source]
Well, github will already shut down repositories that contain words that they deem unacceptable. So they are doing it now...

https://news.ycombinator.com/item?id=9966118

replies(1): >>29210117 #
8. Gargyle ◴[13 Nov 21 14:44 UTC] No.29210066{4}[source]
The parents comment style is inherently advice.
9. judge2020 ◴[13 Nov 21 14:51 UTC] No.29210117{3}[source]
GH specifically going out of their way to falsify keys of a user would be a much bigger breach of trust than just shutting down repos. They know ssh-import-id-gh is a thing and people use it.
10. tinco ◴[13 Nov 21 15:05 UTC] No.29210224[source]
I trust Github explicitly. Or in my case Gitlab, as that's where our code and our CI/CD is. I'll go even further and tell you that I'd trust the public key on Gitlab to be correct more than I'd trust the keys on my own hard drive to be correct. If I make a mistake in my opsec, and run for example a NPM package or Ruby gem or whatever outside of a container, I could have my keys compromised without me ever noticing. At least Gitlab will drop an e-mail in my inbox saying my key changed. Beyond that, I presume Gitlab is employing a security team that outclasses my little startup by orders of magnitude. If Gitlab gets hacked to the point where people's public keys get changed, that surely would be noticed very quickly.

Curious why you think it would be a bad idea to trust Github/Gitlab to warrant your identity.

replies(1): >>29216822 #
11. ◴[13 Nov 21 15:19 UTC] No.29210322{3}[source]
12. flir ◴[14 Nov 21 12:29 UTC] No.29216822[source]
Fair points. But git(hub|lab) has a much bigger target painted on their back.