Comment by walrus01

7 days ago

Ever hired someone who, when you ask them to send you an ssh key for access to something, sends you their private key? Yeah, that's happened more than once.

Who's sending ssh keys around anymore? Just get theirs off gitHub.com/username.keys and shove it in their user account.

http://gitHub.com/fragmede.keys, for example. Stick that in authorized_keys to let me into your server.

  • this touches two pieces of my knowledge:

        - microsoft is evil, I cannot delete my github account, will never use anything by this company
        - if the attacker knows your *public* key they can enumerate the list of the servers you have access to https://github.com/benjojo/ssh-key-confirmer

  • Not everyone works in a field where the developers or engineers have public github accounts or publish their profile of things like ssh keys for the world to read.