[fxtentacle]

Today I learned that GitHub keeps a publicly accessible list of all pubkeys linked to each user's account.

[boarnoah]

Seems questionable on Github's part to have .keys public by default, why not allow people to opt in ex: keybase.io equivalent?

Yes I get that its not sensitive information, but as this demo demonstrates it can fingerprint people who might not be unaware re: this quirk of SSH's coupled with this part of the Github API.

[TechBro8615]

If you are SSH'ing into a server you should expect to get fingerprinted.

[omeid2]

If we are going to stretch "fingerprinting" to authentication, then yes, but fingerprinting here has a very specific meaning.

When I SSH into a server, I want to be "fingerprinted" as far as I share, any Device fingerprinting allowed by SSH is a security risk to the client.

https://en.wikipedia.org/wiki/Device_fingerprint

[kevincox]

There is a bug difference between being fingerprinted by the server that I am trying to log into and sharing (part of) gbag fingerprint publicly.

[devmor]

You can't even opt out of it as far as I can tell.

[mynameisvlad]

Ubuntu Server's installer allows you to import it as the authorized_keys for the new user.

[krab]

Cloud-init as well. The CLI utility you can use is ssh-import-id.

    ssh-import-id gh:$USERNAME

[WirelessGigabit]

Which is the tool that Ubuntu uses!

[cmehdy]

While it's not necessarily feeling great, it's called public for a reason. If anything it should be an incentive to add a passphrase to one's keys.

[b3morales]

It can be served up over HTTP too, given the username: https://github.com/${username}.keys

Age (the author's file encryption tool) can make use of this when encrypting a file to send to someone.

[drexlspivey]

Also your PGP key under https://github.com/${username}.gpg