←back to thread

Sign arbitrary data with your SSH keys

(www.agwa.name)
637 points h1x | 2 comments | 13 Nov 21 09:13 UTC | HN request time: 0.878s | source
Show context
pizza ◴[13 Nov 21 10:03 UTC] No.29208734[source]
I get that they're "public" keys, but I was surprised to learn (and from somebody other than github themselves) that ssh public keys are just available at that github.com/username.keys URL (without there being an option to disable it, it seems?). Did most people already know that? Probably fine but just surprised. Just tried searching their authentication docs [0] and I don't get any results for "public key url" either

https://docs.github.com/en/authentication?query=public+key+u...

replies(26): >>29208748 #>>29208752 #>>29208754 #>>29208768 #>>29208790 #>>29208806 #>>29208828 #>>29208856 #>>29208877 #>>29208909 #>>29208990 #>>29209073 #>>29209103 #>>29209113 #>>29209243 #>>29209399 #>>29209634 #>>29210045 #>>29210085 #>>29210460 #>>29211355 #>>29211357 #>>29211783 #>>29212241 #>>29212499 #>>29213083 #
throwaway894345 ◴[13 Nov 21 11:09 UTC] No.29208990[source]
Even cooler, you can tell cloud-init to download your SSH keys from GitHub and drop them in the user's ~/.ssh/authorized_keys. Something like this IIRC:

    users:
      - name: foo
        ssh_authorized_keys: [gh:foo]
replies(1): >>29209262 #
flir ◴[13 Nov 21 12:19 UTC] No.29209262[source]
That was sarcasm, right? (Genuine question). 'cos that sounds like a bad idea to me, and if it's not a bad idea, I'd like to understand why.

Doesn't doing this mean you trust github implicitly?

replies(3): >>29209285 #>>29209671 #>>29210224 #
throwaway894345 ◴[13 Nov 21 12:24 UTC] No.29209285[source]
It's not sarcasm. I only use this for hobby projects and I already put my source code and various secrets on GitHub so they could pwn my blog if they really wanted to whether or not I pull public keys from GH or bake them into my user-data.
replies(1): >>29209333 #
Gargyle ◴[13 Nov 21 12:35 UTC] No.29209333[source]
Then this is bad advice in general because its specific to a low trust expectation. Would be sensible to note that in your comment.
replies(1): >>29209594 #
1. keeganpoppen ◴[13 Nov 21 13:37 UTC] No.29209594[source]
it's not advice at all. they are just saying you can do it.
replies(1): >>29210066 #
2. Gargyle ◴[13 Nov 21 14:44 UTC] No.29210066[source]
The parents comment style is inherently advice.