←back to thread

Sign arbitrary data with your SSH keys

(www.agwa.name)
637 points h1x | 2 comments | 13 Nov 21 09:13 UTC | HN request time: 0.004s | source
Show context
pizza ◴[13 Nov 21 10:03 UTC] No.29208734[source]
I get that they're "public" keys, but I was surprised to learn (and from somebody other than github themselves) that ssh public keys are just available at that github.com/username.keys URL (without there being an option to disable it, it seems?). Did most people already know that? Probably fine but just surprised. Just tried searching their authentication docs [0] and I don't get any results for "public key url" either

https://docs.github.com/en/authentication?query=public+key+u...

replies(26): >>29208748 #>>29208752 #>>29208754 #>>29208768 #>>29208790 #>>29208806 #>>29208828 #>>29208856 #>>29208877 #>>29208909 #>>29208990 #>>29209073 #>>29209103 #>>29209113 #>>29209243 #>>29209399 #>>29209634 #>>29210045 #>>29210085 #>>29210460 #>>29211355 #>>29211357 #>>29211783 #>>29212241 #>>29212499 #>>29213083 #
Edmond ◴[13 Nov 21 11:35 UTC] No.29209103[source]
>I get that they're "public" keys

From your quote around "public", I presume you think there is some sense in which they're not really public? They are and should ALWAYS be considered PUBLIC. If you find yourself ever crafting a security solution where public keys somehow need to be private or secret, go back to the drawing board or reach out to someone with serious expertise.

There are cases where information on a certificate (which is associated with a public key)may indeed need to be protected, in that case you need to implement an information mask (via hashing) that can protect the private information, we had to do something similar with Certisfy.com certificates. But public keys should be considered public without exceptions.

replies(8): >>29209253 #>>29209264 #>>29209312 #>>29209521 #>>29209535 #>>29210485 #>>29211342 #>>29211702 #
Eduard ◴[13 Nov 21 13:25 UTC] No.29209535[source]
Please post here all your public keys from pairs you use for SSHing to your servers.
replies(1): >>29210479 #
1. oehpr ◴[13 Nov 21 15:36 UTC] No.29210479[source]
I would but 2 of them are RSA keys and I don't want to make the comments messy.

Here's my ed key though.

  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN3sRdLQYzhroFcUsId9X2xS1Um9bP0E+FiuiO5/qF5W oehpr
What's your point with this? Is there some factor I need to be aware of here? Other have brought up privacy, but I'm fine with my servers knowing I'm devious hacker oehpr.
replies(1): >>29211079 #
2. Eduard ◴[13 Nov 21 16:44 UTC] No.29211079[source]
Yes, I rhetorically asked for your public keys because they are personally identifiable data.

While some may be fine having public keys dissiminated publicly, other github users would prefer keeping this data private, as it can be used for looking up their real identities.