Hacker News new | past | comments | ask | show | jobs | submit login

Even cooler, you can tell cloud-init to download your SSH keys from GitHub and drop them in the user's ~/.ssh/authorized_keys. Something like this IIRC:

    users:
      - name: foo
        ssh_authorized_keys: [gh:foo]



That was sarcasm, right? (Genuine question). 'cos that sounds like a bad idea to me, and if it's not a bad idea, I'd like to understand why.

Doesn't doing this mean you trust github implicitly?


I trust Github explicitly. Or in my case Gitlab, as that's where our code and our CI/CD is. I'll go even further and tell you that I'd trust the public key on Gitlab to be correct more than I'd trust the keys on my own hard drive to be correct. If I make a mistake in my opsec, and run for example a NPM package or Ruby gem or whatever outside of a container, I could have my keys compromised without me ever noticing. At least Gitlab will drop an e-mail in my inbox saying my key changed. Beyond that, I presume Gitlab is employing a security team that outclasses my little startup by orders of magnitude. If Gitlab gets hacked to the point where people's public keys get changed, that surely would be noticed very quickly.

Curious why you think it would be a bad idea to trust Github/Gitlab to warrant your identity.


Fair points. But git(hub|lab) has a much bigger target painted on their back.


It's not sarcasm. I only use this for hobby projects and I already put my source code and various secrets on GitHub so they could pwn my blog if they really wanted to whether or not I pull public keys from GH or bake them into my user-data.


Then this is bad advice in general because its specific to a low trust expectation. Would be sensible to note that in your comment.


it's not advice at all. they are just saying you can do it.


The parents comment style is inherently advice.


GitHub can alter the CODE. Why it should play with just a key? If GitHub wants to pwn the whole world, it can do it right now.


Well, github will already shut down repositories that contain words that they deem unacceptable. So they are doing it now...

https://news.ycombinator.com/item?id=9966118


GH specifically going out of their way to falsify keys of a user would be a much bigger breach of trust than just shutting down repos. They know ssh-import-id-gh is a thing and people use it.


Can't argue with that, except to say "because it's bad, lets make it worse" doesn't feel like a good rule of thumb.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: