Obtain a GitHub user's public keys

Y	Hacker News new \| ask \| show \| jobs

	Obtain a GitHub user's public keys (github.com)
	57 points by kentwistle 4384 days ago

8 comments

robinricard 4384 days ago

I use it to set user access to my company's servers with ansible automatically. I just have to set a list of github usernames and it generates a list of users with their ssh key access setup !

link

kentwistle 4384 days ago

Found out about this today, you can prepend any GitHub username with .keys to fetch their public keys.

link

voltagex_ 4384 days ago

What can this be used for? I'd love to display my GPG key there instead but I guess that's not possible.

link

stedaniels 4384 days ago

Have you seen https://keybase.io/ that's an ideal place for your GPG keys (and more) :-)

link

peterhajas 4384 days ago

I can't tell if it's finished yet:

> Keybase will be a public directory of publicly auditable public keys.

Nor do I understand why I'd use it. Do lots of people post GPG encrypted messages to each other on gist?

link

mseebach 4384 days ago

It's an attempt to solve the key distribution problem. By having you verify your keys on third party sites, a MITM or NSL attack (providing you with fake keys so your messages can be intercepted) gets a lot harder as you have to attack n sites simultaneously instead of one.

link

riffraff 4384 days ago

as an alternative to ssh-copy-id ?

link

andreaso 4384 days ago

Yepp, and there is already an existing tool, which currently supports GitHub as well as Launchpad.

http://manpages.ubuntu.com/manpages/trusty/en/man1/ssh-impor... https://launchpad.net/ssh-import-id

link

joe_inferno 4384 days ago

you mean you can append any GitHub username

link

intull 4384 days ago

Is this supposed to be okay? I mean, even though they are public keys, its not like I really want them to be _that_ public!

link

octo_t 4384 days ago

Whats the harm? At most, people can encrypt things with your public key and then...?

link

stared 4384 days ago

For example they can identify my different accounts, when I sue the same key.

link

automatthew 4384 days ago

Last time I tried to use the same public key for a second account, GitHub refused.

link

thu 4384 days ago

I'd say that at most it forces you a bit more (if that was necessary) to check the SSH fingerprint of the machines you're SSHing into.

link

Perseids 4383 days ago

I also view this as information leakage. I keep some of my online pseudonyms completely separated, and stuff like that allows people to link them together, if I was not careful enough to use a separate ssh key.

link

mixologic 4384 days ago

Seems like this would be a good way to frame somebody else. Hack into a server, do some damage/steal files, and drop somebody elses public key on the server.

"But I didnt do it!" - Then why was your key on the server?

link

kordless 4384 days ago

Because public keys are somewhat publicly available information?

link

rlpb 4384 days ago

Something similar has been available on Launchpad for years. There's a tool called "ssh-import-id". If I want to give you access to an Ubuntu server, I might type "ssh-import-id kentwistle". This would fetch public keys that the kentwistle user on Launchpad has published over HTTPS and then add them to ~/.ssh/authorized_keys.

I don't think there's any reason that ssh-import-id needs to be Launchpad-specific.

link

akerl_ 4384 days ago

It's worth noting that this shows only "verified" keys, which are keys that have been added to the account and used at least once.

link

lloeki 4384 days ago

Github leverages such content-type negotiation for other resources too: add .diff or .patch to commits or pull requests. There's a way to get git am compatible data too.

link

drunken_thor 4384 days ago

I am glad my email doesn't show up in there.

link

AYBABTME 4384 days ago

It does: https://github.com/aybabtme/gol/commit/37ebaf91f312705e0f96f...

link