SSH public keys for any GitHub user (opens in new tab)

(github.com)

9 pointsscheub4y ago17 comments

17 comments

One potentially interesting point of discussion here is to compare GitHub to PGP keyservers. Both provide a means of sharing someone’s keys with a wide audience. GitHub probably has gotten more people actively using SSH keys than are actively using PGP to encrypt or sign material.

Then there’s the more controversial possibility that with such a large userbase, SSH could encroach on what was traditionally PGP’s territory. Giving someone a new account with password “changeme” is already long obsolete. How about when SSH signatures become mainstream? https://mobile.twitter.com/damienmiller/status/1452796122250...

ezfe4y ago

Well, they're public keys

cassianoleal4y ago

Yep, exactly. Why is this posted here?

TingPing4y ago

Neat feature I didn't know about.

detaro4y ago

fairly well known, also documented in the API: https://docs.github.com/en/rest/reference/users#list-public-...

If you have your system set to automatically use said key other SSH servers you connect to can tie that to your github user, which technically is a privacy leak, but generally not a serious concern. But if you want to keep a github (or other) account private, take care to give it a dedicated key and only have git/SSH use it when connecting to that specific site.

zvr4y ago

If this is news to people, then: similar to https://github.com/${USER}.keys, there is https://github.com/${USER}.gpg that gets you to GPG key of a user.

Not sure how you can get more than one key, in any of these cases.

jonobird14y ago

Do you mind expanding on why this is important? As @ezfe says below, it's a public key.

scheubOP4y ago

It's not because I think it's exploitable in any way (it's not - public keys are public), but because it's a neat feature I found interesting that many people don't know about. It also has potential use cases, like automatically keeping a machine's authorized_keys up to date with members in a team, or skipping having to ask for someone's public key when sharing access.

nixpulvis4y ago

Funny, I was just trying to use Git for Windows the other day, and was completely unsuccessful without authentication, even just to pull a public repo.

Shit's fucked y'all.

selfhoster114y ago

You have to pull via HTTPS. SSH checkout is meant for project contributors, which is why IIRC it requires authentication even to pull the code.

nixpulvis4y ago

It triggers an oauth popup...

junon4y ago

What's this have to do with the keys API?

nixpulvis4y ago

Honestly, nothing really. I just thought it was funny. Imagine needing keys to simply check out the public gardens.

rcarmo4y ago

Not news. Ubuntu Server fetches user keys like this during setup.

s_m4y ago

what do you think "public" means

NickKampe4y ago

super useful when adding users keys

ppierald4y ago

Not a huge deal in and of itself? Good key management processes would have you rotate every so often. However, we probably have a lot/most/all of us that use the same SSH key for many systems and loss of that private key would be compromise of your Github account.

Have a unique username / password combination for each website, right? Same is true for Github and all other SSH systems.

Also, Github provides Security Key support if you want to go that route. SSH keys are really not that different than passwords, but they seem more complicated, so maybe they are?

j / k navigate · click thread line to collapse

17 comments

anjbe4y ago

ezfe4y ago

Well, they're public keys

cassianoleal4y ago

Yep, exactly. Why is this posted here?

TingPing4y ago

Neat feature I didn't know about.

detaro4y ago

fairly well known, also documented in the API: https://docs.github.com/en/rest/reference/users#list-public-...

zvr4y ago

If this is news to people, then: similar to https://github.com/${USER}.keys, there is https://github.com/${USER}.gpg that gets you to GPG key of a user.

Not sure how you can get more than one key, in any of these cases.

jonobird14y ago

Do you mind expanding on why this is important? As @ezfe says below, it's a public key.

scheubOP4y ago

nixpulvis4y ago

Funny, I was just trying to use Git for Windows the other day, and was completely unsuccessful without authentication, even just to pull a public repo.

Shit's fucked y'all.

selfhoster114y ago

You have to pull via HTTPS. SSH checkout is meant for project contributors, which is why IIRC it requires authentication even to pull the code.

nixpulvis4y ago

It triggers an oauth popup...

junon4y ago

What's this have to do with the keys API?

nixpulvis4y ago

Honestly, nothing really. I just thought it was funny. Imagine needing keys to simply check out the public gardens.

rcarmo4y ago

Not news. Ubuntu Server fetches user keys like this during setup.

s_m4y ago

what do you think "public" means

NickKampe4y ago

super useful when adding users keys

ppierald4y ago

Have a unique username / password combination for each website, right? Same is true for Github and all other SSH systems.

Also, Github provides Security Key support if you want to go that route. SSH keys are really not that different than passwords, but they seem more complicated, so maybe they are?

j / k navigate · click thread line to collapse