I came across a neat site that uses a Golang wasm function called from javascript on the page to help you see if your GitHub public SSH keys are “safe”. What does “safe” mean? This is what the function checks for (via that site):
Recommended key sizes are as follows:
- For the RSA algorithm at least 2048, recommended 4096
- The DSA algorithm should not be used
- For the ECDSA algorithm, it should be 521
- For the ED25519, the key size should be 256 or larger
The site also provides links to standards and guides to support the need for stronger keys.
I threw together a small R package — {pubcheck} — to check local keys, keys in a character vector, and keys residing in GitHub. One function will even check the GitHub keys of all the GitHub users a given account is following:
Local file
library(pubcheck)
library(tidyverse)
check_ssh_pub_key("~/.ssh/id_rsa.pub") |>
mutate(key = ifelse(is.na(key), NA_character_, sprintf("%s…", substr(key, 1, 30)))) |>
knitr::kable()
| key | algo | len | status |
|---|---|---|---|
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQ… | rsa | 2048 | ✅ Key is safe; For the RSA algorithm at least 2048, recommended 4096 |
A GitHub user
check_gh_user_keys(c("hrbrmstr", "mikemahoney218")) |>
mutate(key = ifelse(is.na(key), NA_character_, sprintf("%s…", substr(key, 1, 30)))) |>
knitr::kable()
| user | key | algo | len | status |
|---|---|---|---|---|
| hrbrmstr | ssh-rsa AAAAB3NzaC1yc2EAAAADAQ… | rsa | 2048 | ✅ Key is safe; For the RSA algorithm at least 2048, recommended 4096 |
| hrbrmstr | ssh-rsa AAAAB3NzaC1yc2EAAAADAQ… | rsa | 2048 | ✅ Key is safe; For the RSA algorithm at least 2048, recommended 4096 |
| hrbrmstr | ssh-rsa AAAAB3NzaC1yc2EAAAADAQ… | rsa | 2048 | ✅ Key is safe; For the RSA algorithm at least 2048, recommended 4096 |
| mikemahoney218 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQ… | rsa | 4096 | ✅ Key is safe |
| mikemahoney218 | ssh-ed25519 AAAAC3NzaC1lZDI1NT… | ed25519 | 256 | ✅ Key is safe |
| mikemahoney218 | ssh-ed25519 AAAAC3NzaC1lZDI1NT… | ed25519 | 256 | ✅ Key is safe |
| mikemahoney218 | ssh-ed25519 AAAAC3NzaC1lZDI1NT… | ed25519 | 256 | ✅ Key is safe |
Keys of all the users a GitHub account is following
check_gh_following("koenrh") |>
mutate(key = ifelse(is.na(key), NA_character_, sprintf("%s…", substr(key, 1, 30)))) |>
knitr::kable()
| user | key | algo | len | status |
|---|---|---|---|---|
| framer | NA | NA | NA | NA |
| jurre | ssh-rsa AAAAB3NzaC1yc2EAAAADAQ… | rsa | 2048 | ✅ Key is safe; For the RSA algorithm at least 2048, recommended 4096 |
What’s it like out there?
I processed my followers list and had some interesting results:
library(pubcheck)
library(hrbragg)
library(tidyverse)
# this takes a while as the # of users is > 500!
res <- check_gh_following("hrbrmstr")
res |>
count(user) |>
arrange(n) |>
count(n, name = "n_users") |>
mutate(csum = cumsum(n_users)) |>
ggplot() +
geom_line(
aes(n, csum)
) +
geom_point(
aes(n, csum)
) +
scale_x_continuous(breaks = 1:21) +
scale_y_comma() +
labs(
x = "# Keys In User GH", y = "# Users",
title = "Cumulative Plot Of User/Key Counts [n=522 users]",
subtitle = "A handful of users have >=10 keys configured in GitHub; one has 21!!"
) +
theme_cs(grid="XY")
res |>
count(algo, len, status) |>
mutate(kind = ifelse(is.na(status), "No SSH keys in account", sprintf("%s:%s\n%s", algo, len, status))) |>
mutate(kind = fct_reorder(gsub("[;,]", "\n", kind), n, identity)) |>
ggplot() +
geom_col(
aes(n, kind),
width = 0.65,
fill = "steelblue",
color = NA
) +
scale_x_comma(position = "top") +
labs(
x = NULL, y = NULL,
title = "SSH Key Summary For GH Users hrbrmstr Is Following"
) +
theme_cs(grid="X") +
theme(plot.title.position = "plot")
FIN
Whether you use the website or the R package, it’d be a good idea to check on your SSH keys at least annually.
4 Trackbacks/Pingbacks
[…] *** This can be a Safety Bloggers Community syndicated weblog from rud.is authored by hrbrmstr. Learn the unique publish at: https://rud.is/b/2022/04/16/keeping-those-ssh-keys-safe/ […]
[…] I came across a neat site that uses a Golang wasm function called from javascript on the page to help you see if your GitHub public SSH keys are “safe”. What does “safe” mean? This is what the function checks for (via that site): Recommended key sizes are as follows: For the RSA algorithm at… Continue reading → […]
[…] *** This can be a Safety Bloggers Community syndicated weblog from rud.is authored by hrbrmstr. Learn the unique publish at: https://rud.is/b/2022/04/16/keeping-those-ssh-keys-safe/ […]
[…] article was first published on R – rud.is, and kindly contributed to R-bloggers]. (You can report issue about the content on this page here) […]