Obtain a GitHub user's public keys (opens in new tab)

(github.com)

57 pointskentwistle11y ago28 comments

28 comments

I use it to set user access to my company's servers with ansible automatically. I just have to set a list of github usernames and it generates a list of users with their ssh key access setup !

1 more reply

kentwistleOP11y ago

Found out about this today, you can prepend any GitHub username with .keys to fetch their public keys.

voltagex_11y ago

What can this be used for? I'd love to display my GPG key there instead but I guess that's not possible.

stedaniels11y ago

Have you seen https://keybase.io/ that's an ideal place for your GPG keys (and more) :-)

1 more reply

riffraff11y ago

as an alternative to ssh-copy-id ?

1 more reply

joe_inferno11y ago

you mean you can append any GitHub username

intull11y ago

Is this supposed to be okay? I mean, even though they are public keys, its not like I really want them to be _that_ public!

octo_t11y ago

Whats the harm? At most, people can encrypt things with your public key and then...?

stared11y ago

For example they can identify my different accounts, when I sue the same key.

1 more reply

thu11y ago

I'd say that at most it forces you a bit more (if that was necessary) to check the SSH fingerprint of the machines you're SSHing into.

Perseids11y ago

I also view this as information leakage. I keep some of my online pseudonyms completely separated, and stuff like that allows people to link them together, if I was not careful enough to use a separate ssh key.

mixologic11y ago

Seems like this would be a good way to frame somebody else. Hack into a server, do some damage/steal files, and drop somebody elses public key on the server.

"But I didnt do it!" - Then why was your key on the server?

kordless11y ago

Because public keys are somewhat publicly available information?

rlpb11y ago

Something similar has been available on Launchpad for years. There's a tool called "ssh-import-id". If I want to give you access to an Ubuntu server, I might type "ssh-import-id kentwistle". This would fetch public keys that the kentwistle user on Launchpad has published over HTTPS and then add them to ~/.ssh/authorized_keys.

I don't think there's any reason that ssh-import-id needs to be Launchpad-specific.

akerl_11y ago

It's worth noting that this shows only "verified" keys, which are keys that have been added to the account and used at least once.

lloeki11y ago

Github leverages such content-type negotiation for other resources too: add .diff or .patch to commits or pull requests. There's a way to get git am compatible data too.

drunken_thor11y ago

I am glad my email doesn't show up in there.

AYBABTME11y ago

It does: https://github.com/aybabtme/gol/commit/37ebaf91f312705e0f96f...

j / k navigate · click thread line to collapse

28 comments

robinricard11y ago

I use it to set user access to my company's servers with ansible automatically. I just have to set a list of github usernames and it generates a list of users with their ssh key access setup !

1 more reply

kentwistleOP11y ago

Found out about this today, you can prepend any GitHub username with .keys to fetch their public keys.

voltagex_11y ago

What can this be used for? I'd love to display my GPG key there instead but I guess that's not possible.

stedaniels11y ago

Have you seen https://keybase.io/ that's an ideal place for your GPG keys (and more) :-)

1 more reply

riffraff11y ago

as an alternative to ssh-copy-id ?

1 more reply

joe_inferno11y ago

you mean you can append any GitHub username

intull11y ago

Is this supposed to be okay? I mean, even though they are public keys, its not like I really want them to be _that_ public!

octo_t11y ago

Whats the harm? At most, people can encrypt things with your public key and then...?

stared11y ago

For example they can identify my different accounts, when I sue the same key.

1 more reply

thu11y ago

I'd say that at most it forces you a bit more (if that was necessary) to check the SSH fingerprint of the machines you're SSHing into.

Perseids11y ago

mixologic11y ago

Seems like this would be a good way to frame somebody else. Hack into a server, do some damage/steal files, and drop somebody elses public key on the server.

"But I didnt do it!" - Then why was your key on the server?

kordless11y ago

Because public keys are somewhat publicly available information?

rlpb11y ago

I don't think there's any reason that ssh-import-id needs to be Launchpad-specific.

akerl_11y ago

It's worth noting that this shows only "verified" keys, which are keys that have been added to the account and used at least once.

lloeki11y ago

Github leverages such content-type negotiation for other resources too: add .diff or .patch to commits or pull requests. There's a way to get git am compatible data too.

drunken_thor11y ago

I am glad my email doesn't show up in there.

AYBABTME11y ago

It does: https://github.com/aybabtme/gol/commit/37ebaf91f312705e0f96f...

j / k navigate · click thread line to collapse