this post was submitted on 16 Sep 2025
667 points (97.7% liked)

Programmer Humor

26747 readers
534 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 2 years ago
MODERATORS
Feyter@programming.dev
anzo@programming.dev
BurningTurtle@programming.dev
pylapp@programming.dev
667
GitHub auth (infosec.pub)
submitted 2 weeks ago by skepller@lemmy.world to c/programmer_humor@programming.dev
68 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] ramjambamalam@lemmy.ca 67 points 2 weeks ago (2 children)

I think this post is about git CLI, not www.github.com.

SSH keys are very secure and you can still encrypt them with a password if you wish.

[–] jonjuan@programming.dev 42 points 2 weeks ago (3 children)

encrypt them with a password if you wish.

SSH keys without passphrases are just fancy credential files sitting in your .ssh/ directory, basically like writing your passwords on paper and leaving it in your desk drawer.

[–] rumba@lemmy.zip 11 points 2 weeks ago

but they require chmod 400 and they're ideally in on an encrypted disk

So the desk drawer is locked and the codes are Luks encrypted.

And for critical stuff, you should also have a password on the key.

If your ssh keys are like a passwords on paper in a drawer, you're doing it wrong.

[–] tauonite@lemmy.world 9 points 2 weeks ago

TIL some people store SSH keys unencrypted

[–] ThunderQueen@lemmy.world 7 points 2 weeks ago

I had mine on paper for years before i learned about Keepass. I trusted it more than a cloud based manager because someone would have to physically be in my room.

I am a lot more careful these days but that is not beyond the pale for a lot of folks haha

[–] Evotech@lemmy.world 2 points 2 weeks ago (1 children)

It’s not about encryption/security it’s about creating something that can’t be phished.

We know that 2fa is secure. But if an attacker can trick you into giving them the code, or typing it in a fake box. Then they own you.

Passkeys are made so that there’s nothing to give, nothing to type. You must control the device.

[–] ramjambamalam@lemmy.ca 2 points 2 weeks ago (1 children)

SSH keys are more like passkeys than passwords.

[–] Evotech@lemmy.world 1 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

I’d love to see the state of online banking if everyone were to manage their own ssh keys

In all seriousness, they are similar, but not quite in this context.

There’s a good project on how to make ssh key infra more scalable and innately secure. Then you can use passkeys on top if you’d like.

https://github.com/openpubkey/openpubkey

https://github.com/openpubkey/opkssh

I personally use this on all my servers.

[–] ramjambamalam@lemmy.ca 1 points 2 weeks ago (1 children)

I’d love to see the state of online banking if everyone were to manage their own ssh keys

Most people couldn't figure out how to download a binary release from a GitHub repo, much less clone it, regardless of HTTP or SSH.

[–] Evotech@lemmy.world 1 points 2 weeks ago* (last edited 2 weeks ago)

True, not the point though