search

atari-legend / legacy

Source code for the legacy AtariLegend site (Still used for the CPANEL)
https://legacy.atarilegend.com/
GNU General Public License v3.0
3 stars 0 forks source link

Why you keep .ssh ? #756

Closed maraflush closed 4 years ago

maraflush commented 4 years ago

Hi,

It would be a good idea to delete this directory (public/.ssh) because it doesn't bring anything and moreover you expose information. Some public services like https://www.shhgit.com/ on the internet, which analyze the strengths and weaknesses of the keys and sometimes attempt factorizations, etc..

nguillaumin commented 4 years ago

Hi, this is used by our automated CI/CD process that deploys on the dev + prod servers, so it does bring something. While we could handle it differently, it's quite convenient.

The only threat model I can think of is someone trying to add their key in there. However we would probably catch it during code review, especially since there are very little contributions for now. And not having the file does not prevent this anyway.

Do you see any other specific risks related to this that should prompt us to revisit this?

maraflush commented 4 years ago

As I said nothing prevents someone from retrieving the public key to try to factorize the key to obtains the private one (this risk is minor but it exists) and probably knows your assets via authorized_keys contents (server, ci/cd IP address). This is interesting for the OSINT. You are better aware of your uses than I am.

Regards

nguillaumin commented 4 years ago

Thanks. I think the risk is low, compared to the benefits for now. We will revisit if we start getting more contributions.