Keep those SSH keys safe

I came across one neat site which uses a Golang wasm function called from javascript on the page to help you see if your GitHub public SSH keys are “safe”. What does “safe” mean? This is what the function checks (via this site):

The recommended key sizes are as follows:

  • For RSA algorithm at least 2048, recommended 4096
  • The DSA algorithm should not be used
  • For ECDSA algorithm it should be 521
  • For the ED25519, the key size must be 256 or greater

The site also provides links to standards and guides to address the need for stronger keys.

I threw together a small packet R — {pubcheck} — to check local keys, keys in a character vector, and keys residing in GitHub. A function will even check the GitHub keys of all GitHub users tracked by a given account:

local file

library(pubcheck)
library(tidyverse)

check_ssh_pub_key("~/.ssh/id_rsa.pub") |> 
  mutate(key = ifelse(is.na(key), NA_character_, sprintf("%s…", substr(key, 1, 30)))) |> 
  knitr::kable()
key algo then status
ssh-rsa AAAAB3NzaC1yc2EAAAADAQ… RSA 2048 The key is safe; For RSA algorithm at least 2048, recommended 4096

A GitHub user

check_gh_user_keys(c("hrbrmstr", "mikemahoney218")) |> 
  mutate(key = ifelse(is.na(key), NA_character_, sprintf("%s…", substr(key, 1, 30)))) |> 
  knitr::kable()

Keys of all users tracked by a GitHub account

check_gh_following("koenrh") |> 
  mutate(key = ifelse(is.na(key), NA_character_, sprintf("%s…", substr(key, 1, 30)))) |> 
  knitr::kable()
user key algo then status
framer N / A N / A N / A N / A
swear ssh-rsa AAAAB3NzaC1yc2EAAAADAQ… RSA 2048 The key is safe; For RSA algorithm at least 2048, recommended 4096

How is it over there?

I processed my subscriber list and got some interesting results:

library(pubcheck)
library(hrbragg)
library(tidyverse)

# this takes a while as the # of users is > 500!
res <- check_gh_following("hrbrmstr")

res |> 
  count(user) |> 
  arrange(n) |> 
  count(n, name = "n_users") |> 
  mutate(csum = cumsum(n_users)) |> 
  ggplot() +
  geom_line(
    aes(n, csum)
  ) +
  geom_point(
    aes(n, csum)
  ) + 
  scale_x_continuous(breaks = 1:21) +
  scale_y_comma() +
  labs(
    x = "# Keys In User GH", y = "# Users",
    title = "Cumulative Plot Of User/Key Counts [n=522 users]",
    subtitle = "A handful of users have >=10 keys configured in GitHub; one has 21!!"
  ) +
  theme_cs(grid="XY")

res |> 
  count(algo, len, status) |> 
  mutate(kind = ifelse(is.na(status), "No SSH keys in account", sprintf("%s:%sn%s", algo, len, status))) |> 
  mutate(kind = fct_reorder(gsub("[;,]", "n", kind), n, identity)) |> 
  ggplot() +
  geom_col(
    aes(n, kind),
    width = 0.65, 
    fill = "steelblue", 
    color = NA
  ) +
  scale_x_comma(position = "top") +
  labs(
    x = NULL, y = NULL,
    title = "SSH Key Summary For GH Users hrbrmstr Is Following"
  ) +
  theme_cs(grid="X") +
  theme(plot.title.position = "plot")

FIN

Whether you use the website or the R package, it would be a good idea to check your SSH keys at least once a year.

*** This is a syndicated blog from the Security Bloggers Network of rud.east written by hrbrmstr. Read the original post at: https://rud.is/b/2022/04/16/keeping-those-ssh-keys-safe/


Source link