←back to thread

Sign arbitrary data with your SSH keys

(www.agwa.name)
637 points h1x | 3 comments | 13 Nov 21 09:13 UTC | HN request time: 0s | source
Show context
pizza ◴[13 Nov 21 10:03 UTC] No.29208734[source]
I get that they're "public" keys, but I was surprised to learn (and from somebody other than github themselves) that ssh public keys are just available at that github.com/username.keys URL (without there being an option to disable it, it seems?). Did most people already know that? Probably fine but just surprised. Just tried searching their authentication docs [0] and I don't get any results for "public key url" either

https://docs.github.com/en/authentication?query=public+key+u...

replies(26): >>29208748 #>>29208752 #>>29208754 #>>29208768 #>>29208790 #>>29208806 #>>29208828 #>>29208856 #>>29208877 #>>29208909 #>>29208990 #>>29209073 #>>29209103 #>>29209113 #>>29209243 #>>29209399 #>>29209634 #>>29210045 #>>29210085 #>>29210460 #>>29211355 #>>29211357 #>>29211783 #>>29212241 #>>29212499 #>>29213083 #
OJFord ◴[13 Nov 21 12:14 UTC] No.29209243[source]
Why would you want to disable it? They're not 'scare-quote' public, they're just public - analogous (kind of craply but workably) to 'distributing' your face, but not your passport/driving licence/etc.

The private key part is secret of course, never shared (that's where the analogy above breaks) but the public part is fine and desirable for everyone to have access to - that's how they verify that you signed something with your private key, how they encrypt a secret message to you.

replies(2): >>29209286 #>>29211824 #
1. Djrhfbfnsks ◴[13 Nov 21 12:25 UTC] No.29209286[source]
Because they may be used to learn the identity of an otherwise pseudoanonymous github account if one uses the same keys with another account that is tied to his real identity.
replies(2): >>29209429 #>>29209624 #
2. pmontra ◴[13 Nov 21 12:58 UTC] No.29209429[source]
One key per service. I've got a directory full of them and a long .ssh/config
3. OJFord ◴[13 Nov 21 13:41 UTC] No.29209624[source]
If the account is intended to be anonymous, it should have its own keypair not shared with the real identity (or other independently anonymous account).

I say this regardless of whether public keys are being.. publicised. User database could be leaked, say, or public keys visible to employees/logged. OpenSSH literally refers to them as 'identities' - if you're trying to be anonymous/anon w.r.t. another it goes without saying that you need to not use the same identity!