Put SSH keys in .git to make repos USB-portable
20 points
3 hours ago
| 14 comments
| dansjots.github.io
| HN
wrxd
1 hour ago
[-]
I di the exact opposite and only use ssh keys store in secure enclaves. Each device has their own key I have no access to.

Not sure what the author does but I have three devices and keep them for many years. Adding a new ssh key to servers every few years isn’t that bad.

reply
webstrand
38 minutes ago
[-]
I just use -sk variants with a FIDO authenticator. Being able to port the keys to another trusted machine (i.e. replacing a computer) if I need to is nice. And it's as secure as a secure enclave.

I do prefer to use a unique key for every (local, remote) pair though. It makes revocation more straightforward.

reply
trueismywork
45 minutes ago
[-]
Yes. This is the way.
reply
pizzafeelsright
9 minutes ago
[-]
Assume these are for deployment to remote services - 'use deploy keys exclusively'

If the bad intent actor has access to the source code they still need to have access to push to the remote repo to issue a deployment.

If they have access to the remote repo they would then have full access to the deployment, I am not certain this is avoidable if one can edit code, push, and have the pipeline deploy as desired.

Car analogy? Key fob in the car in a locked garage. If you have access to the garage you can steal the car. Secure 'enough' for most people because the intrusion happened prior to the deploy.

reply
cosmic_cheese
1 hour ago
[-]
I feel a bit skeeved out about the standard practice of just letting keys hang free and loose in ~/.ssh/ as it is already (leveraging e.g. Secure Enclave on Macs is much better IMO), let alone putting them in a place where they're liable to be unintentionally uploaded or freely accessible to anybody who happens to come into possession of my thumb drive.
reply
mnahkies
35 minutes ago
[-]
I've moved to storing my keys in my password manager, using it as an ssh agent. Means clicking authorize a bit, but also means I'm running a command I'm expecting to use a key then being prompted to authorize (and if it ever prompts unexpectedly I can stop and ask why)

Hardware keys would be better, but I think this is a decent balance or security vs convenience for my needs ATM.

reply
trueismywork
45 minutes ago
[-]
Best is hardware keys like yubikeys..
reply
cluckindan
35 minutes ago
[-]
Use drive encryption, key passphrases and chmod -r 600 ~/.ssh
reply
monkpit
1 hour ago
[-]
This is like leaving your house keys in the lock on the front door and going on vacation.
reply
heyitsdaad
1 hour ago
[-]
Sorry I’m too paranoid about this stuff.

I couldn’t get past ”Paste the private key file id_ed25519 into the .git directory of your current repo,”

reply
praash
1 hour ago
[-]
I stopped worrying after I began protecting all keys with a passphrase.
reply
doug713705
44 minutes ago
[-]
Then the access of your git repos is protected by a single factor, the private key, since the private key is already in the wild.

Copying a private key on a removable storage or to another device than the device that generated it is never a good idea.

reply
zikduruqe
51 minutes ago
[-]
I protect mine with GPG for SSH authentication.
reply
giancarlostoro
1 hour ago
[-]
At that point why not just put it in the home folder of all your devices? I would hate to lose a thumb drive (or have it stolen intentionally) and now someone has full access to my git repository, the freedom to add malware. Foreign hackers would salivate at the thought.
reply
bastardoperator
1 hour ago
[-]
No thank you. Use ~/.ssh/config with per-repo Host aliases and IdentityFile directives.
reply
omani
22 minutes ago
[-]
this has to be a joke, right?
reply
nerdjon
1 hour ago
[-]
So I have never actually tried, but could you not just have multiple SSH keys in your .ssh folder and run the same command in the article telling git specifically which one to use instead of one within the git directory?

That seems like it would fix the issue here without introducing a major security issue.

To be blunt... If I was security at a company and found out someone was doing this, I would question why they have the right to use git frankly.

Edit: I should have clicked through to the superuser article which answered my question that this is perfectly fine with git and having multiple in .ssh.

So honest question... why did you think this was a necessary "twist" worth the risks of copying those files to a location it should not be?

reply
aidenn0
58 minutes ago
[-]
You can also use your ssh config to set identities for any "host" you want, and the host doesn't need to be the real hostname. So you can do something like:

  Host project1.git
    Hostname github.com
    IdentityFile ~/.ssh/id_project1_ed25519
    IdentitiesOnly yes
And then "git checkout git@project1.git:foo/project1.git" to checkout the file.
reply
rockostrich
1 hour ago
[-]
You don't even need to do that. You can just put each set of repos in a directory on a per-account basis and set up git-configs for each. The top of my `.gitconfig` looks like

    [includeIf "gitdir:~/Work/"]
      path = .gitconfig_work
    [includeIf "gitdir:~/OpenSource/"]
      path = .gitconfig_opensource
where `Work` is where all of our repos associated with our GitHub EMU go and `OpenSource` is where I clone all of the open source repos I need to contribute to for work. Our EMU policy doesn't allow us to use our EMU accounts on other repos (or maybe this is just a general restriction of EMU) so I have that set-up to use my personal GitHub.
reply
ziml77
12 minutes ago
[-]
This is exactly what I have set up for a pair of personal accounts. Allows for a nice clean split between the two. As long as the code was initially cloned into the correct directory there's no way for me to accidentally use the wrong email address or GPG signing key.
reply
rhdunn
1 hour ago
[-]
I have a ssh-switch script that runs `ssh-add -D` and `ssh-add $KEY_FILE` so I can do `ssh-switch id_github`, etc. This is coupled with a `/etc/profile.d/ssh-agent.sh` script to create a ssh agent for a terminal session.
reply
croes
1 hour ago
[-]
I guess this is why

> This setup is localized to that repo and is entirely self-contained, i.e. you can move the repo to a different path or place it on a thumb drive to a different machine and it will work without reconfiguring.

reply
nerdjon
59 minutes ago
[-]
I mean I saw that, but I just can't imagine this is thing that you are honestly doing that much...

But also:

> you can move the repo to a different path

Pretty sure this alone is a non issue.

> place it on a thumb drive to a different machine and it will work without reconfiguring.

I go back to this being terrible security. If you loose that drive someone now has your key and the ability to figure out where that key is valid for.

reply
monkpit
23 minutes ago
[-]
> the ability to figure out where that key is valid for

Not just the ability to figure it out, but the config is set to use it automatically, so you could easily figure this out on accident.

reply
whalesalad
1 hour ago
[-]
yes. ssh keys can be named whatever and you can have as many of them in your .ssh dir (or any dir) as you want. "id_ed25519.pub" is just a default/convention.

run "ssh -vvv" and you will see how ssh client decides to look thru that directory. it will try all of them if none are specified.

reply
nerdjon
1 hour ago
[-]
My question was more the git command in the article I was curious about, I have never used that command myself and I was not sure if there was a weird limitation (possibly related to the git context) that it only worked with files within the git repo.

I am just trying to figure out how we are jumping from storing in ~/.ssh to storing in the repo here.

reply
danillonunes
51 minutes ago
[-]
Yes, you can run in your local git repo:

  git config core.sshCommand "ssh -i /home/your_user/.ssh/your_custom_key"
(I believe replacing "/home/your_user" with "~" works too)

I use this all the time as my main key is ed25519 but some old repositories only support rsa keys.

The sshCommand config is, as the name says, the literal ssh command that is used by git when operations that call a remote with ssh (usually push/pull). You can also put other ssh options in there if you need.

Another option to achieve the same effect is to setup directly in your ~/.ssh/config:

  Host your_custom_alias
    HostName git.domain.com
    User git
    IdentityFile ~/.ssh/your_custom_key
then instead of "git clone git@git.domain.com:repo.git" you clone it with "git clone your_custom_alias:repo.git" (or you change the remote if is already cloned). In this case you don't need to have to change the git sshCommand option.
reply
ggm
1 hour ago
[-]
Any time a proposal to put PRIVATE keys into a portable object is raised, I hope to see discussion of the risks.

This is extremely risky for the integrity of the remote copy. If the key is compromised (USB stick lost or acquired by a bad faith actor) then the remote repository is untrustable.

I suppose this is no different to normal keyloss, and some people maintain their keys on removable devices and are exposed to this loss, if the device does not have additional protections.

If it's not a bare (private) key, I suppose then it comes down to the ssh-agent chain over that key, and the strength of your wrapper protection.

reply
nine_k
1 hour ago
[-]
(1) Won't an SSH key with a passphrase solve this? Whoever picks up the lost USB stick won't be able to guess a good passphrase.

(2) It seems like a USB key (like Yubikey) combined with a fair amount os USB-attached storage could be a viable product for some applications! The storage could even be encrypted for (some) extra security.

reply
ggm
30 minutes ago
[-]
sure. picking a good passphrase is pretty vital.
reply
runningmike
18 minutes ago
[-]
Is this a joke? It is called “private key” with a reason…
reply
vorpalhex
1 hour ago
[-]
Also make sure to put in your user password in a plaintext file in the repo for ease of automation. Add your SSN in case the usb gets lost. A face scan of a blank check could prove useful for future bills.
reply
reactordev
1 hour ago
[-]
Do NOT do this. Anyone who gains access to the repo, gains access to all environments. I repeat, DO NOT DO THIS!!!! Do not deploy from your terminal. Do use CI/CD and do use environment variables and secrets to provide those keys from a secure location. DO NOT STORE THEM IN .git!!! All it takes is one dependency to ruin your day.

npm install at your own risk then and wait for the breach…

reply
lawn
1 hour ago
[-]
Is this the kind of security vulnerabilities we'll be seeing as vibe coding and AI slop takes the reins?
reply
runningmike
14 minutes ago
[-]
The bad thing is: these kind of blogs are used for LLM trainings. Never trust AI for security advice without thinking and understanding what you do.
reply