I came across a neat site that uses a Golang wasm function called from javascript on the page to help you see if your GitHub public SSH keys are “safe”. What does “safe” mean? This is what the function checks for (via that site):

Recommended key sizes are as follows:

• For the RSA algorithm at least 2048, recommended 4096
• The DSA algorithm should not be used
• For the ECDSA algorithm, it should be 521
• For the ED25519, the key size should be 256 or larger

The site also provides links to standards and guides to support the need for stronger keys.

I threw together a small R package — {pubcheck} — to check local keys, keys in a character vector, and keys residing in GitHub. One function will even check the GitHub keys of all the GitHub users a given account is following:

Local file

library(pubcheck)
library(tidyverse)

check_ssh_pub_key("~/.ssh/id_rsa.pub") |> 
  mutate(key = ifelse(is.na(key), NA_character_, sprintf("%s…", substr(key, 1, 30)))) |> 
  knitr::kable()

key	algo	len	status
ssh-rsa AAAAB3NzaC1yc2EAAAADAQ…	rsa	2048	Key is safe; For the RSA algorithm at least 2048, recommended 4096

A GitHub user

check_gh_user_keys(c("hrbrmstr", "mikemahoney218")) |> 
  mutate(key = ifelse(is.na(key), NA_character_, sprintf("%s…", substr(key, 1, 30)))) |> 
  knitr::kable()

user	key	algo	len	status
hrbrmstr	ssh-rsa AAAAB3NzaC1yc2EAAAADAQ…	rsa	2048	Key is safe; For the RSA algorithm at least 2048, recommended 4096
hrbrmstr	ssh-rsa AAAAB3NzaC1yc2EAAAADAQ…	rsa	2048	Key is safe; For the RSA algorithm at least 2048, recommended 4096
hrbrmstr	ssh-rsa AAAAB3NzaC1yc2EAAAADAQ…	rsa	2048	Key is safe; For the RSA algorithm at least 2048, recommended 4096
mikemahoney218	ssh-rsa AAAAB3NzaC1yc2EAAAADAQ…	rsa	4096	Key is safe
mikemahoney218	ssh-ed25519 AAAAC3NzaC1lZDI1NT…	ed25519	256	Key is safe
mikemahoney218	ssh-ed25519 AAAAC3NzaC1lZDI1NT…	ed25519	256	Key is safe
mikemahoney218	ssh-ed25519 AAAAC3NzaC1lZDI1NT…	ed25519	256	Key is safe

Keys of all the users a GitHub account is following

check_gh_following("koenrh") |> 
  mutate(key = ifelse(is.na(key), NA_character_, sprintf("%s…", substr(key, 1, 30)))) |> 
  knitr::kable()

user	key	algo	len	status
framer	NA	NA	NA	NA
jurre	ssh-rsa AAAAB3NzaC1yc2EAAAADAQ…	rsa	2048	Key is safe; For the RSA algorithm at least 2048, recommended 4096

What’s it like out there?

I processed my followers list and had some interesting results:

library(pubcheck)
library(hrbragg)
library(tidyverse)

# this takes a while as the # of users is > 500!
res <- check_gh_following("hrbrmstr")

res |> 
  count(user) |> 
  arrange(n) |> 
  count(n, name = "n_users") |> 
  mutate(csum = cumsum(n_users)) |> 
  ggplot() +
  geom_line(
    aes(n, csum)
  ) +
  geom_point(
    aes(n, csum)
  ) + 
  scale_x_continuous(breaks = 1:21) +
  scale_y_comma() +
  labs(
    x = "# Keys In User GH", y = "# Users",
    title = "Cumulative Plot Of User/Key Counts [n=522 users]",
    subtitle = "A handful of users have >=10 keys configured in GitHub; one has 21!!"
  ) +
  theme_cs(grid="XY")

res |> 
  count(algo, len, status) |> 
  mutate(kind = ifelse(is.na(status), "No SSH keys in account", sprintf("%s:%s\n%s", algo, len, status))) |> 
  mutate(kind = fct_reorder(gsub("[;,]", "\n", kind), n, identity)) |> 
  ggplot() +
  geom_col(
    aes(n, kind),
    width = 0.65, 
    fill = "steelblue", 
    color = NA
  ) +
  scale_x_comma(position = "top") +
  labs(
    x = NULL, y = NULL,
    title = "SSH Key Summary For GH Users hrbrmstr Is Following"
  ) +
  theme_cs(grid="X") +
  theme(plot.title.position = "plot")

FIN

Whether you use the website or the R package, it’d be a good idea to check on your SSH keys at least annually.