Keeping Those SSH Keys Safe
Want to share your content on R-bloggers? click here if you have a blog, or here if you don't.
I came across a neat site that uses a Golang wasm function called from javascript on the page to help you see if your GitHub public SSH keys are “safe”. What does “safe” mean? This is what the function checks for (via that site):
Recommended key sizes are as follows:
- For the RSA algorithm at least 2048, recommended 4096
- The DSA algorithm should not be used
- For the ECDSA algorithm, it should be 521
- For the ED25519, the key size should be 256 or larger
The site also provides links to standards and guides to support the need for stronger keys.
I threw together a small R package — {pubcheck} — to check local keys, keys in a character vector, and keys residing in GitHub. One function will even check the GitHub keys of all the GitHub users a given account is following:
Local file
library(pubcheck) library(tidyverse) check_ssh_pub_key("~/.ssh/id_rsa.pub") |> mutate(key = ifelse(is.na(key), NA_character_, sprintf("%s…", substr(key, 1, 30)))) |> knitr::kable()
key | algo | len | status |
---|---|---|---|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQ… | rsa | 2048 | Key is safe; For the RSA algorithm at least 2048, recommended 4096 |
A GitHub user
check_gh_user_keys(c("hrbrmstr", "mikemahoney218")) |> mutate(key = ifelse(is.na(key), NA_character_, sprintf("%s…", substr(key, 1, 30)))) |> knitr::kable()
user | key | algo | len | status |
---|---|---|---|---|
hrbrmstr | ssh-rsa AAAAB3NzaC1yc2EAAAADAQ… | rsa | 2048 | Key is safe; For the RSA algorithm at least 2048, recommended 4096 |
hrbrmstr | ssh-rsa AAAAB3NzaC1yc2EAAAADAQ… | rsa | 2048 | Key is safe; For the RSA algorithm at least 2048, recommended 4096 |
hrbrmstr | ssh-rsa AAAAB3NzaC1yc2EAAAADAQ… | rsa | 2048 | Key is safe; For the RSA algorithm at least 2048, recommended 4096 |
mikemahoney218 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQ… | rsa | 4096 | Key is safe |
mikemahoney218 | ssh-ed25519 AAAAC3NzaC1lZDI1NT… | ed25519 | 256 | Key is safe |
mikemahoney218 | ssh-ed25519 AAAAC3NzaC1lZDI1NT… | ed25519 | 256 | Key is safe |
mikemahoney218 | ssh-ed25519 AAAAC3NzaC1lZDI1NT… | ed25519 | 256 | Key is safe |
Keys of all the users a GitHub account is following
check_gh_following("koenrh") |> mutate(key = ifelse(is.na(key), NA_character_, sprintf("%s…", substr(key, 1, 30)))) |> knitr::kable()
user | key | algo | len | status |
---|---|---|---|---|
framer | NA | NA | NA | NA |
jurre | ssh-rsa AAAAB3NzaC1yc2EAAAADAQ… | rsa | 2048 | Key is safe; For the RSA algorithm at least 2048, recommended 4096 |
What’s it like out there?
I processed my followers list and had some interesting results:
library(pubcheck) library(hrbragg) library(tidyverse) # this takes a while as the # of users is > 500! res <- check_gh_following("hrbrmstr") res |> count(user) |> arrange(n) |> count(n, name = "n_users") |> mutate(csum = cumsum(n_users)) |> ggplot() + geom_line( aes(n, csum) ) + geom_point( aes(n, csum) ) + scale_x_continuous(breaks = 1:21) + scale_y_comma() + labs( x = "# Keys In User GH", y = "# Users", title = "Cumulative Plot Of User/Key Counts [n=522 users]", subtitle = "A handful of users have >=10 keys configured in GitHub; one has 21!!" ) + theme_cs(grid="XY")
res |> count(algo, len, status) |> mutate(kind = ifelse(is.na(status), "No SSH keys in account", sprintf("%s:%s\n%s", algo, len, status))) |> mutate(kind = fct_reorder(gsub("[;,]", "\n", kind), n, identity)) |> ggplot() + geom_col( aes(n, kind), width = 0.65, fill = "steelblue", color = NA ) + scale_x_comma(position = "top") + labs( x = NULL, y = NULL, title = "SSH Key Summary For GH Users hrbrmstr Is Following" ) + theme_cs(grid="X") + theme(plot.title.position = "plot")
FIN
Whether you use the website or the R package, it’d be a good idea to check on your SSH keys at least annually.
R-bloggers.com offers daily e-mail updates about R news and tutorials about learning R and many other topics. Click here if you're looking to post or find an R/data-science job.
Want to share your content on R-bloggers? click here if you have a blog, or here if you don't.