
Private keys committed to Github repositories - truxs
https://github.com/search?q=path%3A.ssh%2Fid_rsa&type=Code&ref=searchresults
======
aaronpk
No, this is people committing their private keys to a Github repository.
Github is not at fault.

edit: submitter has since updated the title, was: "Github giving away your
private key"

~~~
pnathan
Seriously.

It looks like people have added their private keys to (public!!!) repos, and
voila, a search allows others to find that.

~~~
dhimes
I had a dev send me his. I guess he doesn't understand the whole key-thing.

Now he doesn't log in to my server. Just sends me a zip-file that I unpack and
test. sigh.

~~~
dhimes
On re-reading, I need to clarify: I asked a dev for his public key so I could
give him access to my server, and he sent me his private key. Yikes!

------
femto113
Definitely a "you did what?" situation but probably still newsworthy since the
new search tool makes the user's error easier to exploit and the publicity
about the tool will make it more likely that someone will exploit it.

------
nodesocket
Here is how to check if you ever committed your private SSH key by accident:

    
    
        https://github.com/search?q=%40user-name-here+path%3A.ssh%2Fid_rsa&type=Code&ref=searchresults

------
NathanKP
Many of the items on that list are actually public keys, which should be
perfectly safe to share to the world in a Git repo, but there are definitely a
few private keys in there as well.

~~~
taproot
And most of which are "demo app" or "assignment app" or some kind of testing
/demo use key in an application that deals with ssh in its processes. There
also isn't any apps above 100forks, so nothing widespread to worry about. (add
forks:>100)

Reminds me of google hacking: www.hackersforcharity.org/ghdb/ (which is way
more fun)

------
kalmar
Not just github:
[https://www.google.com/search?q=site%3Agithub.com+inurl%3Aid...](https://www.google.com/search?q=site%3Agithub.com+inurl%3Aid_rsa)

------
orangethirty
I hope people take the high road here and dont make an example out of github
members. People make mistakes. You dont need to delete their repo to show
them. A friendly email will do.

Also Github, provide an option to protect those who are less security savy.

------
rbut
Don't forget id_dsa as well.
[https://github.com/search?q=path%3A.ssh%2Fid_dsa&type=Co...](https://github.com/search?q=path%3A.ssh%2Fid_dsa&type=Code&ref=searchresults)

------
guptaneil
.ssh should probably be on a default .gitignore list, along with .DS_Store

------
kbar13
for those saying that github or git should have a default rule preventing
private keys from being committed, I say:

lolwat?

private keys are private. these people -know- that they are pushing a git repo
to a very public site. as such, they should recognize that * is going to be
visible in their dotfiles repo. it's not git or github's fault that users are
doin it wrong!

~~~
guptaneil
That's terrible logic, akin to Apple's "the iPhone 4 isn't defective, you're
just holding it wrong." If a product is confusing your users, you should
improve the UX to increase its usability.

Adding a default .gitignore file with some sensible defaults has no negative
trade offs. If you really do want to commit your .ssh folder, just remove that
line from your .gitignore.

I will admit that adding .DS_Store, while convenient, might be impractical
since git is meant to be platform agnostic, and they probably don't want to
start adding all sorts of platform-specific files.

~~~
loucal
wait so your saying github should stick a default .gitignore file in there and
bloat it just for the extremely rare case that a user commits and pushes their
entire home folder?

Even more rare than that is the user being dumb enough to not consider all
files in the home directory before pushing to a public site. I'm sorry but I
definitely agree more with the other guy's logic than yours.

You say it has no negative tradeoffs? I say besides changing the whole game
(as of right now github does not subject me to a single line of opinionated
code) some projects are meant to be small. Sure you can just take out the
github .gitignore but thats an extra step. I'm really tired of the stance that
we should make development so easy even someone who refuses to RTFM can do it.
I'm all against re-inventing the wheel, but dumbing things down like that is
not something I can get behind.

~~~
guptaneil
I don't know about you, but I've never had a git repo that didn't have a
.gitignore file. Having one automatically would make me do one less step.

This doesn't dumb down programming. It improves UX for everybody, while also
improving security for beginners. Why does GitHub offer to autogenerate a
readme file? Because it's convenient. That doesn't dumb down programming for
anybody.

~~~
loucal
Correct, but having a line that ignores .ssh is bloat in 99.99% of cases.

The key word in your second point is 'offer'. If they were to protect these
keys from being pushed they would have to interfere with your first push and
add a line to your .gitignore, which you would then have to remove EVERY
TIME... if your a developer I don't know how at this point your not like "eh,
actually I don't really feel like doing that in every project, that would be
annoying".

I would also argue that allowing newbs to become developers without realizing
that they are ignoring private key files inside their git repo is just
allowing them to continue on to become developers who are not security
conscious. You could of course argue back that having to take .ssh/ out of
your .gitignore for every project you do hammers the point home for everyone,
and it sure would! I don't believe most of us need that, and if that is your
idea of improved UX then please don't ever work with me ;) (I'm j/k about that
by the way, tabule looks pretty nice and this is all just my opinion, please
don't take it personally. I would welcome an opportunity to work with you...
just don't go adding .ssh/ in my .gitignore!! :P)

~~~
guptaneil
Well, my line of thinking was that having a .ssh line in .gitignore does no
harm, so I didn't consider it bloat. You could just leave it in there and it
would make no difference, so it could just be completely ignored in most
projects. At the same time, you would get a .gitignore file created for you,
removing one of the steps you have to do now.

However, I agree with your point that allowing new devs to keep making this
mistake and just shielding them from it is a bad idea. With that in mind, it
might be nicer if GitHub checked for .ssh files on commit and showed a warning
within the web app, letting you know what you did wrong.

------
2468ben
Can someone just write a script that crawls this page for updates, then sends
the users an email telling them what they did?

------
troyjfarrell
It's actually very handy to keep your private keys in a VCS (along with other
dotfiles.) I keep mine in a private repository. I don't worry about it because
all my private keys are encrypted with strong passphrases.

------
squeed
My favorite: searching for typos.

[https://github.com/search?q=legnth&p=1&ref=searchbar...](https://github.com/search?q=legnth&p=1&ref=searchbar&type=Code&l=)

------
X-Istence
Github is serving up private keys for those that added them to a git
repository. I was wondering how they would be giving away my private key ...
without me giving it to them.

------
rcthompson
I wonder if there's a case for a default pre-commit hook that greps for
anything secret-looking such as ssh private keys, gpg keys, etc. and bails if
it detects any.

------
bradfa
More than half those results are public keys. It's not as bad as first
impressions would indicate.

------
chadscira
I knew this was going to happen, i'm sure other goodies will be found too.

~~~
a_bonobo
Lots of people still push their Rails secret_token.rb to their GitHub-account:
[https://www.google.com.au/search?q=secret_token.rb+site%3Agi...](https://www.google.com.au/search?q=secret_token.rb+site%3Agithub.com&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-
US:unofficial&client=firefox-a)

But there is a certain probability that the token on the GitHub-page is not
identical to the production site's token.

(afaik, the token is digested with the user's ID and stored in the user's
cookie so a user cannot change his ID while he's signed in - knowledge of the
token can let you change your ID to whatever you like)

------
BuzzKilla1960
Finally a github search that works!!!!

------
DrJ
author should grep -v pub from the keys list.

