715

GitHub auth (lemmy.world)

submitted 1 week ago by skepller@lemmy.world to c/programmer_humor@programming.dev

80 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[-] ramjambamalam@lemmy.ca 73 points 1 week ago

I think this post is about git CLI, not www.github.com.

SSH keys are very secure and you can still encrypt them with a password if you wish.

[-] jonjuan@programming.dev 47 points 1 week ago

encrypt them with a password if you wish.

SSH keys without passphrases are just fancy credential files sitting in your .ssh/ directory, basically like writing your passwords on paper and leaving it in your desk drawer.

[-] Sasquatch@lemmy.ml 15 points 1 week ago

Yeah, but who wants to type in a password everytime they push/pull?

[-] LedgeDrop@lemmy.zip 44 points 1 week ago

Take a look at ssh-agent. It's bundled with ssh-client and designed to solve this problem.

The quick usage is, create a terminal and run:

eval `ssh-agent`
ssh-add /path/to/your/encrypted/key1
#type in password
ssh-add /path/to/your/encrypted/key2
... 

# all commands in this terminal will use the keys above w/o asking you for a password 
git clone git@githib.com...
git push... 
etc

So, basically you type your credentials once during the life cycle of your terminal.

If you really want to go full power-user, simple run ssh-agent (without the eval) and you'll see it just sets some env-vars, which can be imported into any terminal/shell you have open.

So, if you put some logic in your shells rc file, you can effectively share a single ash-agent between all your shells, meaning you just need to type your password for your keys once when you log into your system... and your now passwordless for any future terminals you create (this is my setup).

Also, if you're interested take a peek at the man pages for ash-agent. It has a few interesting features (ie: adding a password lock for your agent, removing keys from the agent, etc).

[-] bandwidthcrisis@lemmy.world 4 points 1 week ago

I have

if [ -z "$SSH_AUTH_SOCK" ] ; then
    eval $(ssh-agent -s)
fi

At the end of .bashrc and

AddKeysToAgent yes

In .ssh/config so that it auto-adds keys I unlock.

[-] ulterno@programming.dev 2 points 1 week ago

I do it.
Every time.

And I keep a wired keyboard for it.

[-] rumba@lemmy.zip 4 points 1 week ago

https://www.tomshardware.com/tech-industry/cyber-security/researchers-snoop-data-from-air-gapped-pcs-ram-sticks-by-monitoring-em-radiation-from-23-feet-away

I get keyboards probably have more range, but i worry privacy was gone a long time ago.

[-] ulterno@programming.dev 1 points 1 week ago

I see they really wanted to fit the acronym to RAMBO, lol.
But it makes sense. Considering, we keep out mobile phones in around a metre's reach, it would be trivial to just get that information just from key sounds. Guess I better get one of those high frequency faraday cages, huh?

[-] rumba@lemmy.zip 4 points 1 week ago

There are a few on audio, I saw one where they read HDMI over the air from 60 ft away.

I'd kinda like to see Bluetooth shored up a bit maybe require a tap to bind every day.

[-] ulterno@programming.dev 2 points 1 week ago

I saw one where they read HDMI over the air from 60 ft away.

Wow! Was that stuff even EMCD compliant?

[-] rumba@lemmy.zip 3 points 1 week ago

You can read the cables, you can read the transceivers in the video card, in a lot of the screens you can even read the panel changing itself.

Our ability is to remote sense EMF is absolutely ridiculous these days.

Then there's crap like the espionage where they change fan speeds. Or flash an infrared proximity sensor on a cell phone to exfiltrate data.

[-] ulterno@programming.dev 2 points 1 week ago

in a lot of the screens you can even read the panel changing itself

I thought that stuff went away with CRTs.
But I guess that makes sense. We could hear CRTs with out ears, now we just need more sensitive equipment.

[-] ramjambamalam@lemmy.ca 2 points 1 week ago

Get a load of Ross Ulbricht ovah here!

[-] ulterno@programming.dev 0 points 1 week ago

Well, the main reason I do it every time is because I'm just too lazy to setup pinentry.
But yeah, for the Bluetooth keyboard, I realise I better get off it.

[-] rumba@lemmy.zip 11 points 1 week ago

but they require chmod 400 and they're ideally in on an encrypted disk

So the desk drawer is locked and the codes are Luks encrypted.

And for critical stuff, you should also have a password on the key.

If your ssh keys are like a passwords on paper in a drawer, you're doing it wrong.

[-] tauonite@lemmy.world 10 points 1 week ago

TIL some people store SSH keys unencrypted

[-] ThunderQueen@lemmy.world 9 points 1 week ago

I had mine on paper for years before i learned about Keepass. I trusted it more than a cloud based manager because someone would have to physically be in my room.

I am a lot more careful these days but that is not beyond the pale for a lot of folks haha

[-] Evotech@lemmy.world 2 points 1 week ago

It’s not about encryption/security it’s about creating something that can’t be phished.

We know that 2fa is secure. But if an attacker can trick you into giving them the code, or typing it in a fake box. Then they own you.

Passkeys are made so that there’s nothing to give, nothing to type. You must control the device.

[-] ramjambamalam@lemmy.ca 4 points 1 week ago

SSH keys are more like passkeys than passwords.

[-] Evotech@lemmy.world 1 points 1 week ago* (last edited 1 week ago)

I’d love to see the state of online banking if everyone were to manage their own ssh keys

In all seriousness, they are similar, but not quite in this context.

There’s a good project on how to make ssh key infra more scalable and innately secure. Then you can use passkeys on top if you’d like.

https://github.com/openpubkey/openpubkey

https://github.com/openpubkey/opkssh

I personally use this on all my servers.

[-] ramjambamalam@lemmy.ca 1 points 1 week ago

I’d love to see the state of online banking if everyone were to manage their own ssh keys

Most people couldn't figure out how to download a binary release from a GitHub repo, much less clone it, regardless of HTTP or SSH.

[-] Evotech@lemmy.world 1 points 1 week ago* (last edited 1 week ago)

True, not the point though

this post was submitted on 16 Sep 2025

715 points (97.9% liked)

Programmer Humor

26629 readers

3691 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

Keep content in english
No advertisements
Posts must be related to programming or programmer topics

founded 2 years ago

MODERATORS

Feyter@programming.dev

anzo@programming.dev

BurningTurtle@programming.dev

pylapp@programming.dev