Hacker News new | past | comments | ask | show | jobs | submit login

> cool since it allows verifying the signature without out of the band key delivery

hope you do key selection sanitization instead of the default (nobody does). otherwise you're accepting random keys you have laying around (like github) when logging to secret.example.com




Using an SSH key used with GitHub for other purposes than GitHub is not a good practice (even if it's common).

https://github.com/dolmen/github-keygen


I’m confused. I make a unique private key for each machine I use. How is using that machine-specific key on multiple hosts insecure?


Your SSH public keys used on GitHub are very publicly exposed.

This information could be used by SSH servers you are connecting to. You might think you are connecting anonymously, while in fact your SSH client is sending your public key which could then be resolved to your GitHub account.


I don't get it. How do you end up with shell access on a machine you don't trust to know your identity?


edit your .ssh/config.

add one Host entry per domain.

on the end of the file add one catch all host rule with IdentityFile /dev/null

otherwise you're sending default key names to all hosts.

...and you are not sending id_rsa.pub to every single place you add a key, like most guides suggests, right? right?


I would be interested in a comprehensive guide on "doing it right", or a link to a guide that suggests the right thing.


already exists. "man sshconfig" or something.

guides dumbing down things are the root of evil.


What do you mean ?




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: