

How Not to copy your SSH private key to your servers - ax0n
http://www.google.com/search?q=site:pastebin.com+%22-----BEGIN+RSA+PRIVATE+KEY-----%22

======
andrewf
Why would people copy a private key around?

Generate the public/private pair on the client machine and the _public_ key is
the one you put on other machines to SSH into them.

~~~
th0ma5
if you want to set up seamless logins of an account to anywhere from anywhere,
you need to copy around both because any node could either be on the client or
server side of the challenge and response.

~~~
axod
Seems like that's a serious edge case. Most times (IMHO) you'd be going one
direction.

And if you do require both directions, you should generate separate keys on
each host and just exchange the public ones.

~~~
ax0n
You're absolutely correct, but it's actually pretty common to distribute that
public key all over hell and then start shuffling the private one around
between the ones you find yourself ssh-ing off of. At my last job, this
practice among wayward sysadmins caused me a lot of gnashing of teeth.

~~~
dedward
Wrong move though - really there should be one key per machine - and then ssh-
agent set up properly to take care of the intermediate machines so you can
bounce around. Using the same private key on multiple machines is just asking
for trouble when you need to revoke something...

~~~
ax0n
Oh, believe me, I know. That's why I said it caused me much gnashing of teeth.
SSH, particularly OpenSSH, is such a thing of beauty. It's a shame most sysads
that I've dealt with abuse it like it's rsh and telnet.

------
dfranke
The reason that the first hit has "penis" embedded in the base64 is that I
posted this to Reddit last night :-). I figured this sort of thing would be
old news for HN, but judging by this having gotten 8 points in 12 minutes I
guess I was wrong.

~~~
mixmax
Old news for the man that hacked Hacker news, but certainly not for mere
mortals like me :-)

<http://news.ycombinator.com/item?id=639976>

------
FlorinAndrei
Well, Twitter only allows 140 characters, so...

------
zokier
So whats the attack vector here? You have unknown users private key to a
unknown service. Of course you should keep your private keys private, but
exploiting this takes quite a stretch.

~~~
olefoo
Key oriented scanners exist, in fact they became wildly popular after the 2008
Debian openssh randomness debacle.

You should rekey your network on a regular schedule at least as often as you
change your passwords.

~~~
wmf
_at least as often as you change your passwords_

So, never?
[http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/...](http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_change_your_password/)

~~~
olefoo
I'd missed that story, it has a point, in that passwords are a very poor
solution to that problem. But, if you're going to use them, you should change
them regularly.

But you should write them down and keep them in a secure location. Just like
you keep a backup of your private keys...

------
javery
Or pastie.org if you prefer:

[http://www.google.com/search?hl=en&safe=off&q=site%3...](http://www.google.com/search?hl=en&safe=off&q=site%3Apastie.org+%22
-----BEGIN+RSA+PRIVATE+KEY-----%22)

~~~
ax0n
I caught this via a friend of mine, and I tried it without a site: search and
mostly came up with too much noise to signal in the results. I'd imagine that
a lot of "paste over the Internet" sites have this problem, and I'd bet SSH
keys aren't the only juicy bits you can find.

Another fun one to find Cisco VPN configuration files, many of which have an
encoded (reversible) password within:
[http://www.google.com/search?q=filetype%3Apcf+Main+Descripti...](http://www.google.com/search?q=filetype%3Apcf+Main+Description)

 _headdesk_

------
stcredzero
Techies almost always consider themselves quite smart. However, a big fraction
of them are _egregiously_ ignorant of important technical matters. Security
has always been a problem area as far as this goes.

(OO and compiler/language implementation are two more!)

This would be a good topic for interviews!

------
stse
Like with the whole "sniffing tor exit nodes" thing [1], you do wonder if it's
actually the original owners who fails to protect their data, or if it's
someone else [2].

[1] [http://arstechnica.com/security/news/2007/09/security-
expert...](http://arstechnica.com/security/news/2007/09/security-expert-used-
tor-to-collect-government-e-mail-passwords.ars) [2]
<http://pastebin.com/f4b10cc33>

------
romland
Oh wow. That made me laugh as it caught me a bit by surprise since I expected
yet another security blog.

Nice find and nice tip, I must say. :)

~~~
ax0n
Hey now! What's wrong with security blogs? :P

Security (both physical and infosec) is one of my biggest passions, and I've
been writing about it for plenty longer than a decade. Granted, for the first
several years, it was a pile of .txt files in an "e-Zine" but still...

~~~
pyre
I don't think that he thought there was anything wrong with it. He was
expecting a write-up of 'what not to do,' but instead got Google search
results for the Darwin awards, so he laughed.

------
hoop
What? Pastebin and the Google cache is a perfectly legitimate backup strategy!

------
njharman
Why would you use anything other than scp?

~~~
brazzy
Because you're still in the process of _setting up_ an actually secure SSH in
the first place?

If you're serious about security, scp is not secure (open to man-in-the-middle
attacks) until you've transferred keys via some other channel or use a PKI
that you actually pay attention to.

~~~
jsn
Say what? scp is perfectly secure (not open to man-in-the-middle attack)
without transferring any keys or using any PKI. scp (just like ssh) asks you
to verify remote key fingerprint on first connect.

~~~
mbreese
This only works if you _know_ the remote key fingerprint in the first place.
If you're setting up new servers, it could potentially be compromised.

But that is being ultra-paranoid in my book.

~~~
adamtj
If you're setting up a new server, you either have physical access and can use
a keyboard and monitor to look it up, or it's hosted by people you are paying
to do such things as tell you the key fingerprint.

~~~
wortiz
Just to be clear mbreese is talking about if you have just set up a new server
like a vps and when you first ssh/scp to the server you accept a compromised
key such as through a MITM attack but as he said this is highly unlikely to
occur.

~~~
fragmede
I setup a VPS on Linode, and they actually added the SSH RSA/DSA key for the
'admin console' login (Lish) when I asked about it on IRC. So, for first-time
setup, you can lookup _that_ key, then from there, lookup the system key
itself. This avoids a compromised key, at least from you to Linode.

Hopefully Linode doesn't have any internal gremlins.

Of course, the weak point there is SSL where the keys themselves are
transmitted, but it did well to quell my paranoia.

------
mgrouchy
even gist.github.com

[http://www.google.com/search?hl=en&safe=off&q=site:g...](http://www.google.com/search?hl=en&safe=off&q=site:gist.github.com+-----BEGIN+RSA+PRIVATE+KEY-----&aq=f&aqi=&aql=&oq=&gs_rfai=)

only a few actual hits in there.

------
crad
Not that you'd want to do so, but if you're inclined to use a pastebin for
such things, I have <https://privatepaste.com> which does not expose pastes to
indexing unless specifically requested in the vhost configuration.

~~~
vog
That's a nice service, but it is still no option for transferring private
keys.

~~~
stcredzero
Indeed. Why would anyone trust a 3rd party website with the private key?

------
chuhnk
I burst out laughing after clicking that. I feel bad for those people.

~~~
dschobel
It's particularly funny because on the one hand, these people are doing
something of non-trivial technical sophistication, and on the other, they have
zero understanding of what they're trying to accomplish.

------
csmeder
I am confused, how did these keys get put on paste bin? Did people place it on
paste bin thinking each paste is private?

------
jeffreyg
check out Johnny Long's Google Hacking Database, full of examples like this
<http://johnny.ihackstuff.com/ghdb/>

------
dschobel
I think I just heard tptacek's head explode.

~~~
djcapelis
Really? I think I just heard his bank account increment.

------
c4urself
lol, funny to see people who are presumably knowledgeable about internet
completely forgetting about security

------
sswam
This would be people posting their private key by mistake when someone asked
for their public key to put in an authorized_keys file. Hopefully the geek on
the other end told them "WTF go burn your key and start again".

~~~
sswam
I know, because I run a free shell server and I used to ask people to provide
public keys, maybe 1/20 would send me the private key instead.

------
pykler
Dumbos, all those keys aren't even encrypted. Some people should not be
allowed to use a computer.

------
oscardelben
google is often used by script kiddies to find common vulnerabilities in
websites.

~~~
wendroid
really ? gosh, that is news

~~~
oscardelben
So what is the news in the case of the link posted by the op?

------
csx
that are all on pastebin, not on "your server". so these are all worthless
keys anybody can generate in a second on a linux box. thats not news.

