GitHub and Gitlab exposes all user's public SSH keys (2019)

1 points by weastur ↗ HN
Pretty unsafe, I think. And you can't turn it off. https://rushter.com/blog/public-ssh-keys/

Links to APIs:

https://docs.github.com/en/rest/reference/users#list-public-keys-for-a-user

https://docs.gitlab.com/ee/api/users.html#list-ssh-keys-for-user

5 comments

[ 2.5 ms ] story [ 17.7 ms ] thread
By definition, the public key is _public_, there's no real risk in publishing them.
(comment deleted)
The article (2 years old) explains you could get someone's public keys from github and then compare them with other public keys (they mention on ssh servers) to see if a person is using the same key elsewhere.

The argument boils down to the fact that ssh will also give you a list of valid public keys.

It doesn't seem very critical to me, and anyone who is worried could just use a different key for github which is good practice anyway imo

(comment deleted)