GitHub has grown in popularity over the past few years as one of the defacto standard locations to share and collaborate on open source projects. Accounts on GitHub are encouraged to use key based authentication, and to that end, users to upload a public key to allow them to authenticate to their accounts while making changes to code. This summer I crawled, collected, and analyzed 1,191,694 of these public keys from 1,190,842 GitHub accounts. The following are the statistics and observations I made.

The vast majority of the keys in use are ssh-rsa 2048 bit keys. This isn’t surprising as this is the default configuration for the ssh-keygen utility so often used to create these keys.

Key Type Analysis

The keys themselves are overwhelmingly ssh-rsa keys with 98% being ssh-rsa keys of various bit lengths between 1,000 and 35,000. The second most common key type identified was ssh-dss.

Once all of the keys were cataloged, I checked them for keys known to have been generated by Debian systems affected by CVE-2008-0166 between 2006 and 2008. Additionally, I checked the keys against the rapid7/ssh-badkeys collection of key pairs known to have shipped with software and hardware. Neither of these searches yielded any known public and private key combination. A table of all of the key types is available at the bottom of this post in the Key Types Table section.

User Relations

From an OSINT perspective, the data collection can be used to map relationships between multiple accounts belonging to a single individual. Users with multiple accounts that share a single SSH key for access and authentication can be easily identified by identifying public keys belonging to multiple users. Users with access to the private counter part of the shared public key would have access to these accounts. Among all of the keys recorded, 398 unique public keys were identified as being shared between multiple accounts. These are likely accounts that have either been renamed, or personal & work combination accounts.

User Key Count

Of all the users that were checked only 51% had one or more SSH keys associated with their account. Accounts without keys are likely accounts that are inactive from a development perspective, likely created simply for opening tickets or checking the metrics provided by GitHub for projects. Git and GitHub can use a username and password combination to push to an HTTPS repository but most users opt for the convenience of authenticating with a key to avoid having to enter their credentials every time they push to a repo or clone a private repo.

Of the 1.2M users, 26.57% had exactly one key associated with their account, 12.98% have 2 keys, and 5.82% have 3 keys. One key does seem typical for the average user doing their development from a single system. Multiple keys could be indicative of the user developing on multiple systems. Furthermore, certain services such as the Cloud9 IDE platform require associating a key with the users GitHub account, presumably this is an additional key to an existing one.

Key Types Table