←back to thread

Sign arbitrary data with your SSH keys

(www.agwa.name)
637 points h1x | 1 comments | 13 Nov 21 09:13 UTC | HN request time: 0.216s | source
Show context
pizza ◴[13 Nov 21 10:03 UTC] No.29208734[source]
I get that they're "public" keys, but I was surprised to learn (and from somebody other than github themselves) that ssh public keys are just available at that github.com/username.keys URL (without there being an option to disable it, it seems?). Did most people already know that? Probably fine but just surprised. Just tried searching their authentication docs [0] and I don't get any results for "public key url" either

https://docs.github.com/en/authentication?query=public+key+u...

replies(26): >>29208748 #>>29208752 #>>29208754 #>>29208768 #>>29208790 #>>29208806 #>>29208828 #>>29208856 #>>29208877 #>>29208909 #>>29208990 #>>29209073 #>>29209103 #>>29209113 #>>29209243 #>>29209399 #>>29209634 #>>29210045 #>>29210085 #>>29210460 #>>29211355 #>>29211357 #>>29211783 #>>29212241 #>>29212499 #>>29213083 #
diggan ◴[13 Nov 21 10:39 UTC] No.29208877[source]
I don't think it's super well known, but it is very handy. Used it in the past to give people SSH access by just asking for GitHub user, and then basically just doing `curl https://github.com/victorb.keys >> ~/.ssh/authorized_keys` without sending keys back/forward.

Keybase (or similar) would ideally be used for this instead, but they chose to go a very weird route for their tool, and are now disappearing completely eventually probably.

replies(4): >>29208947 #>>29209520 #>>29209813 #>>29211070 #
Hendrikto ◴[13 Nov 21 10:57 UTC] No.29208947[source]
Shouldn‘t you be using different keys for different services though? What you are doing sounds like bad practice.
replies(4): >>29209106 #>>29209133 #>>29209308 #>>29211664 #
1. bityard ◴[13 Nov 21 17:48 UTC] No.29211664[source]
If you're following good security practices like...

* Using a strong passphrase on your private key(s) * Never copying your private keys around between systems (especially not unencrypted) * Using a hardware key management dongle

...then there is little to no _security_ risk in using one key for multiple services vs individual keys for each service. The threat model here is that an attacker is able to discover your private keys somehow. If the system holding the private key(s) is compromised, they can grab multiple keys just as easily as they can grab one.

Others have noted that there can be a slight _privacy_ risk to sharing your SSH public key across services. If you never want your accounts across different services to be correlated with each other, then yes, you would want a separate SSH keypair for each. But many of us use the same identity across services anyway as part of our personal brand so that point is moot for us.