[tracker1]

I'm consistently amazed how many developers and security professionals don't have a clear understanding how PPK even works conceptually.

Things like deploying dev keys to various production environments, instead of generating/registering them within said environment.

One of the worst recent security examples... You can't get this data over HTTPS from $OtherAgency, it's "not secure" ... then their suggestion is a "secure" read-only account to the other agency's SQL server (which uses the same TLS 1.3 as HTTPS). This is from person in charge of digital security for a government org.

[tolciho]

Or when the security team at some other company emails you their private key.

[tracker1]

LOL, yeah.. had that happen quite a few times... Also, re-using the ssh server key for the client connecting to the sftp server.

[laserlight]

> Things like deploying dev keys to various production environments, instead of generating/registering them within said environment.

I can see this happening when a developer is authorized to generate, but not to register. So, they just reuse an already-registered one.

[tracker1]

In the example, it wasn't even that complex... I have used patterns to register allowed signer keys based on environment variables that an application runs under, initializing at startup... so "register" just meant assigning the correct values for 2-4 environment variables per public signer allowed... and removing the dev signer. (JWT based auth)