SSH public keys for any GitHub user | HN Mirror

Y	Hacker News new \| ask \| show \| jobs

	SSH public keys for any GitHub user (github.com)
	9 points by scheub 1647 days ago

10 comments

anjbe 1647 days ago

One potentially interesting point of discussion here is to compare GitHub to PGP keyservers. Both provide a means of sharing someone’s keys with a wide audience. GitHub probably has gotten more people actively using SSH keys than are actively using PGP to encrypt or sign material.

Then there’s the more controversial possibility that with such a large userbase, SSH could encroach on what was traditionally PGP’s territory. Giving someone a new account with password “changeme” is already long obsolete. How about when SSH signatures become mainstream? https://mobile.twitter.com/damienmiller/status/1452796122250...

ezfe 1647 days ago

Well, they're public keys

cassianoleal 1647 days ago

Yep, exactly. Why is this posted here?

TingPing 1647 days ago

Neat feature I didn't know about.

detaro 1647 days ago

fairly well known, also documented in the API: https://docs.github.com/en/rest/reference/users#list-public-...

If you have your system set to automatically use said key other SSH servers you connect to can tie that to your github user, which technically is a privacy leak, but generally not a serious concern. But if you want to keep a github (or other) account private, take care to give it a dedicated key and only have git/SSH use it when connecting to that specific site.

zvr 1645 days ago

If this is news to people, then: similar to https://github.com/${USER}.keys, there is https://github.com/${USER}.gpg that gets you to GPG key of a user.

Not sure how you can get more than one key, in any of these cases.

jonobird1 1647 days ago

Do you mind expanding on why this is important? As @ezfe says below, it's a public key.

scheub 1647 days ago

It's not because I think it's exploitable in any way (it's not - public keys are public), but because it's a neat feature I found interesting that many people don't know about. It also has potential use cases, like automatically keeping a machine's authorized_keys up to date with members in a team, or skipping having to ask for someone's public key when sharing access.

nixpulvis 1647 days ago

Funny, I was just trying to use Git for Windows the other day, and was completely unsuccessful without authentication, even just to pull a public repo.

Shit's fucked y'all.

selfhoster11 1647 days ago

You have to pull via HTTPS. SSH checkout is meant for project contributors, which is why IIRC it requires authentication even to pull the code.

nixpulvis 1647 days ago

It triggers an oauth popup...

junon 1647 days ago

What's this have to do with the keys API?

nixpulvis 1647 days ago

Honestly, nothing really. I just thought it was funny. Imagine needing keys to simply check out the public gardens.

rcarmo 1647 days ago

Not news. Ubuntu Server fetches user keys like this during setup.

s_m 1647 days ago

what do you think "public" means

NickKampe 1647 days ago

super useful when adding users keys

ppierald 1647 days ago

Not a huge deal in and of itself? Good key management processes would have you rotate every so often. However, we probably have a lot/most/all of us that use the same SSH key for many systems and loss of that private key would be compromise of your Github account.

Have a unique username / password combination for each website, right? Same is true for Github and all other SSH systems.

Also, Github provides Security Key support if you want to go that route. SSH keys are really not that different than passwords, but they seem more complicated, so maybe they are?