GitHub and Gitlab exposes all user's public SSH keys (2019)

1 pointsweastur3y ago3 comments

Pretty unsafe, I think. And you can't turn it off. https://rushter.com/blog/public-ssh-keys/

Links to APIs:

https://docs.github.com/en/rest/reference/users#list-public-keys-for-a-user

https://docs.gitlab.com/ee/api/users.html#list-ssh-keys-for-user

3 comments

dossy3y ago

By definition, the public key is _public_, there's no real risk in publishing them.

version_five3y ago

The article (2 years old) explains you could get someone's public keys from github and then compare them with other public keys (they mention on ssh servers) to see if a person is using the same key elsewhere.

The argument boils down to the fact that ssh will also give you a list of valid public keys.

It doesn't seem very critical to me, and anyone who is worried could just use a different key for github which is good practice anyway imo

miohtama3y ago

Public key, by definition, is public. Exposing something that’s public can do very little harm.

Here is more discussion:

https://security.stackexchange.com/questions/150540/is-it-co...

j / k navigate · click thread line to collapse