While true, in most cases the username is simply “git” and not a specific username tied to the pub/priv keypair
While true, in most cases the username is simply “git” and not a specific username tied to the pub/priv keypair
When authenticating with git over SSH, the private key should be considered secret and well protected.
That means the corresponding public key that was uploaded to the git server is enough to authenticate and no username is required. However, a password protected privare key is possible and extra layers of security can be added to the authentication mechanism.
As far as resource based attacks based on public key searching, I doubt many servers have significant enough public keys on a single host to even notice. Most repos are siloed and have specific teams/individuals assigned to them, so only a small number of public keys even gets loaded.
I dont know enough about the server side mechanics to be sure, but imo the attack surface is pretty small.
Interesting breakdown, thank you.
Do you happen to know if the containerization is similar to docker containers? Or more like android apps?