Developers can't be trusted with SSH private keys. I'm stunned by how many times I've asked a developer to send their SSH public key only to see them dump their private keys on Slack, in a Pastebin, or in a Git commit or wherever.
It would be so much better if standard practice was to generate and store the private key on a smartcard or the TPM, so that the only file a clueless/careless developer could upload would be a stub.
It's too late to fix now, but that sounds like a file naming UX issue. If you type `cat ~/.ssh/id_` and hit tab, you'll see `id_rsa` first, which is the wrong one.
It really should be named `id_rsa.private` to help a busy developer realize they have the wrong file.
> It would be so much better if standard practice was to generate and store the private key on a smartcard or the TPM, so that the only file a clueless/careless developer could upload would be a stub.
Yep. Especially given that basically all modern laptops (and some PCs) ship with TPMs and ssh can use it via the TPM PKCS#11 lib. I'm using that daily on multiple machines and it's working great.
It would be so much better if standard practice was to generate and store the private key on a smartcard or the TPM, so that the only file a clueless/careless developer could upload would be a stub.