←back to thread

Sign arbitrary data with your SSH keys

(www.agwa.name)
637 points h1x | 2 comments | 13 Nov 21 09:13 UTC | HN request time: 0.001s | source
Show context
pizza ◴[13 Nov 21 10:03 UTC] No.29208734[source]
I get that they're "public" keys, but I was surprised to learn (and from somebody other than github themselves) that ssh public keys are just available at that github.com/username.keys URL (without there being an option to disable it, it seems?). Did most people already know that? Probably fine but just surprised. Just tried searching their authentication docs [0] and I don't get any results for "public key url" either

https://docs.github.com/en/authentication?query=public+key+u...

replies(26): >>29208748 #>>29208752 #>>29208754 #>>29208768 #>>29208790 #>>29208806 #>>29208828 #>>29208856 #>>29208877 #>>29208909 #>>29208990 #>>29209073 #>>29209103 #>>29209113 #>>29209243 #>>29209399 #>>29209634 #>>29210045 #>>29210085 #>>29210460 #>>29211355 #>>29211357 #>>29211783 #>>29212241 #>>29212499 #>>29213083 #
throwaway894345 ◴[13 Nov 21 11:09 UTC] No.29208990[source]
Even cooler, you can tell cloud-init to download your SSH keys from GitHub and drop them in the user's ~/.ssh/authorized_keys. Something like this IIRC:

    users:
      - name: foo
        ssh_authorized_keys: [gh:foo]
replies(1): >>29209262 #
flir ◴[13 Nov 21 12:19 UTC] No.29209262[source]
That was sarcasm, right? (Genuine question). 'cos that sounds like a bad idea to me, and if it's not a bad idea, I'd like to understand why.

Doesn't doing this mean you trust github implicitly?

replies(3): >>29209285 #>>29209671 #>>29210224 #
drran ◴[13 Nov 21 13:47 UTC] No.29209671[source]
GitHub can alter the CODE. Why it should play with just a key? If GitHub wants to pwn the whole world, it can do it right now.
replies(2): >>29209873 #>>29209976 #
1. fortran77 ◴[13 Nov 21 14:32 UTC] No.29209976[source]
Well, github will already shut down repositories that contain words that they deem unacceptable. So they are doing it now...

https://news.ycombinator.com/item?id=9966118

replies(1): >>29210117 #
2. judge2020 ◴[13 Nov 21 14:51 UTC] No.29210117[source]
GH specifically going out of their way to falsify keys of a user would be a much bigger breach of trust than just shutting down repos. They know ssh-import-id-gh is a thing and people use it.