←back to thread

Sign arbitrary data with your SSH keys

(www.agwa.name)
637 points h1x | 2 comments | 13 Nov 21 09:13 UTC | HN request time: 0.522s | source
Show context
pizza ◴[13 Nov 21 10:03 UTC] No.29208734[source]
I get that they're "public" keys, but I was surprised to learn (and from somebody other than github themselves) that ssh public keys are just available at that github.com/username.keys URL (without there being an option to disable it, it seems?). Did most people already know that? Probably fine but just surprised. Just tried searching their authentication docs [0] and I don't get any results for "public key url" either

https://docs.github.com/en/authentication?query=public+key+u...

replies(26): >>29208748 #>>29208752 #>>29208754 #>>29208768 #>>29208790 #>>29208806 #>>29208828 #>>29208856 #>>29208877 #>>29208909 #>>29208990 #>>29209073 #>>29209103 #>>29209113 #>>29209243 #>>29209399 #>>29209634 #>>29210045 #>>29210085 #>>29210460 #>>29211355 #>>29211357 #>>29211783 #>>29212241 #>>29212499 #>>29213083 #
throwaway894345 ◴[13 Nov 21 11:09 UTC] No.29208990[source]
Even cooler, you can tell cloud-init to download your SSH keys from GitHub and drop them in the user's ~/.ssh/authorized_keys. Something like this IIRC:

    users:
      - name: foo
        ssh_authorized_keys: [gh:foo]
replies(1): >>29209262 #
flir ◴[13 Nov 21 12:19 UTC] No.29209262[source]
That was sarcasm, right? (Genuine question). 'cos that sounds like a bad idea to me, and if it's not a bad idea, I'd like to understand why.

Doesn't doing this mean you trust github implicitly?

replies(3): >>29209285 #>>29209671 #>>29210224 #
1. tinco ◴[13 Nov 21 15:05 UTC] No.29210224[source]
I trust Github explicitly. Or in my case Gitlab, as that's where our code and our CI/CD is. I'll go even further and tell you that I'd trust the public key on Gitlab to be correct more than I'd trust the keys on my own hard drive to be correct. If I make a mistake in my opsec, and run for example a NPM package or Ruby gem or whatever outside of a container, I could have my keys compromised without me ever noticing. At least Gitlab will drop an e-mail in my inbox saying my key changed. Beyond that, I presume Gitlab is employing a security team that outclasses my little startup by orders of magnitude. If Gitlab gets hacked to the point where people's public keys get changed, that surely would be noticed very quickly.

Curious why you think it would be a bad idea to trust Github/Gitlab to warrant your identity.

replies(1): >>29216822 #
2. flir ◴[14 Nov 21 12:29 UTC] No.29216822[source]
Fair points. But git(hub|lab) has a much bigger target painted on their back.