←back to thread

Sign arbitrary data with your SSH keys

(www.agwa.name)
637 points h1x | 1 comments | 13 Nov 21 09:13 UTC | HN request time: 0.243s | source
Show context
pizza ◴[13 Nov 21 10:03 UTC] No.29208734[source]
I get that they're "public" keys, but I was surprised to learn (and from somebody other than github themselves) that ssh public keys are just available at that github.com/username.keys URL (without there being an option to disable it, it seems?). Did most people already know that? Probably fine but just surprised. Just tried searching their authentication docs [0] and I don't get any results for "public key url" either

https://docs.github.com/en/authentication?query=public+key+u...

replies(26): >>29208748 #>>29208752 #>>29208754 #>>29208768 #>>29208790 #>>29208806 #>>29208828 #>>29208856 #>>29208877 #>>29208909 #>>29208990 #>>29209073 #>>29209103 #>>29209113 #>>29209243 #>>29209399 #>>29209634 #>>29210045 #>>29210085 #>>29210460 #>>29211355 #>>29211357 #>>29211783 #>>29212241 #>>29212499 #>>29213083 #
surfsvammel ◴[13 Nov 21 10:47 UTC] No.29208909[source]
It’s very handy. I use it often. Whenever I, or someone else, need to add my public key to a server somewhere, that’s where I get it from.
replies(1): >>29208957 #
Hendrikto ◴[13 Nov 21 10:58 UTC] No.29208957[source]
Are you guys really using one SSH key for all services? That‘s really bad practice.
replies(3): >>29208974 #>>29208978 #>>29210457 #
1. justusthane ◴[13 Nov 21 15:34 UTC] No.29210457[source]
No, it’s not. It’s not the same as reusing a password, because unlike a password, your private key never leaves your local machine. It doesn’t matter if one of the services that you’re using the key pair to authenticate to is compromised—your private key is still safe.

In order to compromise your private key the attacker would have to gain access to your local machine, in which case all of your private keys are compromised.

You should use different key pairs per client, so that if one client machine is compromised you don’t have to change keys on the rest of them.