Tribal Knowledge? Getting the public keys from github and gitlab users from their username
Posted by jpluimers on 2025/04/03
Learned a while ago: if you have the username from a GitHub or GitLab user, you can download interesting that sometimes can make life easier (but not necessarily more secure):
github.com/username.keysgives you their public SSH keysgitlab.com/username.keysgives you their public SSH keysgithub.com/username.pnggives you their profile image
And that there are tools like gh, glab and age that can make direct use of them.
I love Twitter, so thanks for these for teaching me these little tricks:
It also made me discover gh and glab (which was inspired by gh): command-line interface tools to make GitHub and GitLab life easier.
Most relevant links of these tools below.
But first the tweets:
- [Wayback/Archive] danielle 🏳️🌈 on Twitter: “
github[.]com/[username].keyscontinues to be the most useful thing for setting up new computer hardware 😅” - [Wayback/Archive] emilia ✨ (spoopy) on Twitter: “@endocrimes I’m helping set up a shared server with shell access for a conference, and it feels so magical that we can just ask attendees for their GitHub username and magically configure them passwordless ssh access”
- [Wayback/Archive] Mike Deeks on Twitter: “@endocrimes It’s also how we auth our users into machines. We have a script set up as an AuthorizedKeysCommand in sshd. It pulls from that endpoint and caches. Al we need to do is plop usernames into a config to grant access.”
- [Wayback/Archive] Liran Tal on Twitter: “@endocrimes Also helpful
github[.]com/[username].png“ - [Wayback/Archive] TheNumeralOne on Twitter: “@endocrimes Thank :3 Also, it looks like
github . com/[username].gpglists gpg keys if you want those instead of ssh keys” - [Wayback/Archive] Niclas Mietz on Twitter: “@endocrimes Or
gitlab[.]com/[username].keys😌” - [Wayback/Archive] ⃠ emojibake on Twitter: “@virus_dave @endocrimes yeah it also lets github.com/FiloSottile/age#encrypting-to-a-github-user directly encrypt a file to any github user, it’s so neat!”
- This taught me about the
ageencryption tool that can use public keys to encrypt files to be decrypted by the respective private keys (see below)
- This taught me about the
- [Wayback/Archive] Socially Distant Before It Was Cool on Twitter: “@endocrimes finally, PKI”
- [Wayback/Archive] Brett Holman on Twitter: “@endocrimes
ssh-import-idftw”- I vaguely knew about
ssh-import-id, but never used it in practice. Likeagethere are some links on it below.
- I vaguely knew about
- [Wayback/Archive] Dan Fedick on Twitter: “@endocrimes The `
gh` command is slick for these tasks too: “
There was an interesting discussion on security. Of course using a SSH private key for one purpose is more safe than sharing SSH keys, just like it is when re-using passwords. On the other hand SSH-key users often are more aware of security issues than password-only users.
Both SSH and password based authentication can (and I think should) be combined with MFA methods (like SMS/TOTP/U2F/FIDO) making it more secure. The specific MFA mechanism is then the choice of each target platform.
gh
- [Wayback/Archive] Dan Fedick on Twitter: “@endocrimes The `
gh` command is slick for these tasks too: “
- [Wayback/Archive] Manual | GitHub CLI
GitHub CLI, or
gh, is a command-line interface to GitHub for use in your terminal or your scripts.- [Wayback/Archive] GitHub CLI | Take GitHub to the command line (overview of the
ghcommands)- [Wayback/Archive] GitHub CLI | Take GitHub to the command line: gh gpg-key (Manage GPG keys registered with your GitHub account.)
- [Wayback/Archive] GitHub CLI | Take GitHub to the command line: gh ssh-key (Manage SSH keys registered with your GitHub account.)
- [Wayback/Archive] GitHub CLI | Take GitHub to the command line (overview of the
- Repository: [Wayback/Archive] cli/cli: GitHub’s official command line tool
ghis GitHub on the command line. It brings pull requests, issues, and other GitHub concepts to the terminal next to where you are already working withgitand your code.
glab
- [Wayback/Archive] GitLab.org / cli · GitLab
A GitLab CLI tool bringing GitLab to your command line
…
GLab is an open source GitLab CLI tool bringing GitLab to your terminal next to where you are already working withgitand your code without switching between windows and browser tabs. Work with issues, merge requests, watch running pipelines directly from your CLI among other features.glabis available for repositories hosted on GitLab.com and self-managed GitLab instances.glabsupports multiple authenticated GitLab instances and automatically detects the authenticated hostname from the remotes available in the working Git directory.It is a continuation of [Wayback/Archive] profclems/glab: A GitLab CLI tool bringing GitLab to your command line
They regrettably removed all
ghand GitHub references, which is a shame as it is derived from the ideas ingh, see: [Wayback/Archive] docs: remove github references (aa34b08e) · Commits · GitLab.org / cli · GitLab and the approval process in [Wayback/Archive] docs: remove github references (!1023) · Merge requests · GitLab.org / cli · GitLab. Hopefully my tweet below had some influence and this has changed by now:- [Wayback/Archive] Jeroen Wiert Pluimers on Twitter: “`
glab` is the `gh` inspired CLI tool for maintaining self hosted or managed #GitLab repositories originally hosted on GitHub. Recently @gitlab has removed all references to `gh` and #GitHub including inspiration: https://t.co/3JUB9SBAsW Not a nice way to say “thanks @github””
- [Wayback/Archive] Jeroen Wiert Pluimers on Twitter: “`
- [Wayback/Archive] Home · Wiki · GitLab.org / cli · GitLab
GLab open source custom Gitlab Cli tool written in Go (golang) to help work seamlessly with Gitlab from the command line.
- [Wayback/Archive] glab | A custom Gitlab Cli tool written in Go (golang)
note the documentation domain vanished, but the Wayback Machine has a good enough copy, see:[Wayback/Archive] The Wiki points to https://clementsam.tech/glab, but that site is gone (#1072) · Issues · GitLab.org / cli · GitLab
age
- [Wayback/Archive] FiloSottile/
age: A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.
age is a simple, modern and secure file encryption tool, format, and Go library.
It features small explicit keys, no config options, and UNIX-style composability.
…
RECIPIENT can be an age public key generated by age-keygen ("age1...") or an SSH public key ("ssh-ed25519 AAAA...", "ssh-rsa AAAA..."). - [Wayback/Archive] age(1) – simple, modern, and secure file encryption (note that the Wayback Machine cannot correctly archive this: it archives the script but not the content)
- [Wayback/Archive] FiloSottile/age: Encrypting to a GitHub user
SSH keys
As a convenience feature, age also supports encrypting to
ssh-rsaandssh-ed25519SSH public keys, and decrypting with the respective private key file. (ssh-agentis not supported.)$ age -R ~/.ssh/id_ed25519.pub example.jpg > example.jpg.age $ age -d -i ~/.ssh/id_ed25519 example.jpg.age > example.jpgNote that SSH key support employs more complex cryptography, and embeds a public key tag in the encrypted file, making it possible to track files that are encrypted to a specific public key.
Encrypting to a GitHub user
Combining SSH key support and
-R, you can easily encrypt a file to the SSH keys listed on a GitHub profile.$ curl https://github.com/benjojo.keys | age -R - example.jpg > example.jpg.ageKeep in mind that people might not protect SSH keys long-term, since they are revokable when used only for authentication, and that SSH keys held on YubiKeys can’t be used to decrypt files.
ssh-import-id
- [Wayback/Archive] dustinkirkland/
ssh-import-id: git mirror of the official upstream at http://launchpad.net/ssh-import-id - [Wayback/Archive]
ssh-import-idin Launchpad - [Wayback/Archive] Ubuntu Manpage:
ssh-import-id– retrieve one or more public keys from a public keyserver and append them
--jeroen
The Wiert Corner - irregular stream of stuff 
Leave a comment