I came across one neat site which uses a Golang wasm function called from javascript on the page to help you see if your GitHub public SSH keys are “safe”. What does “safe” mean? This is what the function checks (via this site):
The recommended key sizes are as follows:
- For RSA algorithm at least 2048, recommended 4096
- The DSA algorithm should not be used
- For ECDSA algorithm it should be 521
- For the ED25519, the key size must be 256 or greater
The site also provides links to standards and guides to address the need for stronger keys.
I threw together a small packet R — {pubcheck} — to check local keys, keys in a character vector, and keys residing in GitHub. A function will even check the GitHub keys of all GitHub users tracked by a given account:
local file
library(pubcheck)
library(tidyverse)
check_ssh_pub_key("~/.ssh/id_rsa.pub") |>
mutate(key = ifelse(is.na(key), NA_character_, sprintf("%s…", substr(key, 1, 30)))) |>
knitr::kable()
| key | algo | then | status |
|---|---|---|---|
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQ… | RSA | 2048 | The key is safe; For RSA algorithm at least 2048, recommended 4096 |
A GitHub user
check_gh_user_keys(c("hrbrmstr", "mikemahoney218")) |>
mutate(key = ifelse(is.na(key), NA_character_, sprintf("%s…", substr(key, 1, 30)))) |>
knitr::kable()
Keys of all users tracked by a GitHub account
check_gh_following("koenrh") |>
mutate(key = ifelse(is.na(key), NA_character_, sprintf("%s…", substr(key, 1, 30)))) |>
knitr::kable()
| user | key | algo | then | status |
|---|---|---|---|---|
| framer | N / A | N / A | N / A | N / A |
| swear | ssh-rsa AAAAB3NzaC1yc2EAAAADAQ… | RSA | 2048 |  The key is safe; For RSA algorithm at least 2048, recommended 4096 |
How is it over there?
I processed my subscriber list and got some interesting results:
library(pubcheck)
library(hrbragg)
library(tidyverse)
# this takes a while as the # of users is > 500!
res <- check_gh_following("hrbrmstr")
res |>
count(user) |>
arrange(n) |>
count(n, name = "n_users") |>
mutate(csum = cumsum(n_users)) |>
ggplot() +
geom_line(
aes(n, csum)
) +
geom_point(
aes(n, csum)
) +
scale_x_continuous(breaks = 1:21) +
scale_y_comma() +
labs(
x = "# Keys In User GH", y = "# Users",
title = "Cumulative Plot Of User/Key Counts [n=522 users]",
subtitle = "A handful of users have >=10 keys configured in GitHub; one has 21!!"
) +
theme_cs(grid="XY")
res |>
count(algo, len, status) |>
mutate(kind = ifelse(is.na(status), "No SSH keys in account", sprintf("%s:%sn%s", algo, len, status))) |>
mutate(kind = fct_reorder(gsub("[;,]", "n", kind), n, identity)) |>
ggplot() +
geom_col(
aes(n, kind),
width = 0.65,
fill = "steelblue",
color = NA
) +
scale_x_comma(position = "top") +
labs(
x = NULL, y = NULL,
title = "SSH Key Summary For GH Users hrbrmstr Is Following"
) +
theme_cs(grid="X") +
theme(plot.title.position = "plot")
FIN
Whether you use the website or the R package, it would be a good idea to check your SSH keys at least once a year.
*** This is a syndicated blog from the Security Bloggers Network of rud.east written by hrbrmstr. Read the original post at: https://rud.is/b/2022/04/16/keeping-those-ssh-keys-safe/