[swiley]

Is anyone else bothered by how they were handling ssh keys in the example?

The whole point of public keys is that the private key never has to leave the box it’s generated on. Once you go sharing them you might as well just use a random passphrase.

[deg4uss3r]

Yes, very much so. In addition stop using RSA[0] and use ed25519 with `ssh-keygen -t ed25519`

[0]: https://blog.trailofbits.com/2019/07/08/fuck-rsa/

[devonkim]

Because Jenkins has its own ssh client, that wasn't supported as of last year with elliptic curve based keys and I had to re-launch a bunch of servers in production to downgrade back to RSA or DSA keys because they were basically the only key types that Jenkins supported. Really not sure why Jenkins had to go this far to re-invent a cryptographic wheel (besides the usual "support both Windows and Linux" angle).

[viraptor]

Unless you're using a hardware token via gpg-agent. In that case RSA is the only way most of the time.

[xemdetia]

Yeah hopefully when FIPS 140-3 finishes we'll start seeing hardware tokens that can do elliptic curves.

[wtetzner]

Yeah, at our company things are done in the reverse of that script: the user generates their SSH keys, and there's a process they use to register the public key with the rest of the system.

[minxomat]

I sometimes use GitHub for this. A developer's most up to date keychain is probably their GitHub account, so granting them access is as simple as

    curl -Ls github.com/turbo.keys >> ~/.ssh/authorized_keys

Simplified of course. A script is usually used to revoke that access shortly after. Plus 2FA SSH.

[rmetzler]

Gitlab also has a keys URL, but I can’t say if it’s available for unauthorized clients from the top of my head (currently on mobile). For me it’s usually the fastest way to authorize other team members.

[yellowapple]

I had no idea about github.com/$USER.keys. That's handy as hell.

[NikolaeVarius]

Huh, never occurred to me to do it this way.

[TimTheTinker]

As a user, I wouldn’t trust any private key that I didn’t personally generate.

If an IT guy sent me “here’s your new private key”, even through 1Password, I’d say “no thanks.”