Hacker News new | past | comments | ask | show | jobs | submit login
Private keys committed to Github repositories (github.com/search)
27 points by truxs on Jan 23, 2013 | hide | past | favorite | 30 comments

No, this is people committing their private keys to a Github repository. Github is not at fault.

edit: submitter has since updated the title, was: "Github giving away your private key"


It looks like people have added their private keys to (public!!!) repos, and voila, a search allows others to find that.

I had a dev send me his. I guess he doesn't understand the whole key-thing.

Now he doesn't log in to my server. Just sends me a zip-file that I unpack and test. sigh.

On re-reading, I need to clarify: I asked a dev for his public key so I could give him access to my server, and he sent me his private key. Yikes!

I would say it's shared responsability. Yes commiting private data is stupid, and the other hand, just testing the new sesarch by trying to search for rsa key could Have Avoided this.

Anyway, as usual the main problem exist between the chair and the keyboard.

You could find these on Google (site:github.com id_rsa) before Github search, so I guess that Github search caused zero net harm.

Definitely a "you did what?" situation but probably still newsworthy since the new search tool makes the user's error easier to exploit and the publicity about the tool will make it more likely that someone will exploit it.

Here is how to check if you ever committed your private SSH key by accident:


Many of the items on that list are actually public keys, which should be perfectly safe to share to the world in a Git repo, but there are definitely a few private keys in there as well.

And most of which are "demo app" or "assignment app" or some kind of testing /demo use key in an application that deals with ssh in its processes. There also isn't any apps above 100forks, so nothing widespread to worry about. (add forks:>100)

Reminds me of google hacking: www.hackersforcharity.org/ghdb/ (which is way more fun)

I hope people take the high road here and dont make an example out of github members. People make mistakes. You dont need to delete their repo to show them. A friendly email will do.

Also Github, provide an option to protect those who are less security savy.

.ssh should probably be on a default .gitignore list, along with .DS_Store

for those saying that github or git should have a default rule preventing private keys from being committed, I say:


private keys are private. these people -know- that they are pushing a git repo to a very public site. as such, they should recognize that * is going to be visible in their dotfiles repo. it's not git or github's fault that users are doin it wrong!

That's terrible logic, akin to Apple's "the iPhone 4 isn't defective, you're just holding it wrong." If a product is confusing your users, you should improve the UX to increase its usability.

Adding a default .gitignore file with some sensible defaults has no negative trade offs. If you really do want to commit your .ssh folder, just remove that line from your .gitignore.

I will admit that adding .DS_Store, while convenient, might be impractical since git is meant to be platform agnostic, and they probably don't want to start adding all sorts of platform-specific files.

wait so your saying github should stick a default .gitignore file in there and bloat it just for the extremely rare case that a user commits and pushes their entire home folder?

Even more rare than that is the user being dumb enough to not consider all files in the home directory before pushing to a public site. I'm sorry but I definitely agree more with the other guy's logic than yours.

You say it has no negative tradeoffs? I say besides changing the whole game (as of right now github does not subject me to a single line of opinionated code) some projects are meant to be small. Sure you can just take out the github .gitignore but thats an extra step. I'm really tired of the stance that we should make development so easy even someone who refuses to RTFM can do it. I'm all against re-inventing the wheel, but dumbing things down like that is not something I can get behind.

I don't know about you, but I've never had a git repo that didn't have a .gitignore file. Having one automatically would make me do one less step.

This doesn't dumb down programming. It improves UX for everybody, while also improving security for beginners. Why does GitHub offer to autogenerate a readme file? Because it's convenient. That doesn't dumb down programming for anybody.

Correct, but having a line that ignores .ssh is bloat in 99.99% of cases.

The key word in your second point is 'offer'. If they were to protect these keys from being pushed they would have to interfere with your first push and add a line to your .gitignore, which you would then have to remove EVERY TIME... if your a developer I don't know how at this point your not like "eh, actually I don't really feel like doing that in every project, that would be annoying".

I would also argue that allowing newbs to become developers without realizing that they are ignoring private key files inside their git repo is just allowing them to continue on to become developers who are not security conscious. You could of course argue back that having to take .ssh/ out of your .gitignore for every project you do hammers the point home for everyone, and it sure would! I don't believe most of us need that, and if that is your idea of improved UX then please don't ever work with me ;) (I'm j/k about that by the way, tabule looks pretty nice and this is all just my opinion, please don't take it personally. I would welcome an opportunity to work with you... just don't go adding .ssh/ in my .gitignore!! :P)

Well, my line of thinking was that having a .ssh line in .gitignore does no harm, so I didn't consider it bloat. You could just leave it in there and it would make no difference, so it could just be completely ignored in most projects. At the same time, you would get a .gitignore file created for you, removing one of the steps you have to do now.

However, I agree with your point that allowing new devs to keep making this mistake and just shielding them from it is a bad idea. With that in mind, it might be nicer if GitHub checked for .ssh files on commit and showed a warning within the web app, letting you know what you did wrong.

Can someone just write a script that crawls this page for updates, then sends the users an email telling them what they did?

It's actually very handy to keep your private keys in a VCS (along with other dotfiles.) I keep mine in a private repository. I don't worry about it because all my private keys are encrypted with strong passphrases.

Github is serving up private keys for those that added them to a git repository. I was wondering how they would be giving away my private key ... without me giving it to them.

I wonder if there's a case for a default pre-commit hook that greps for anything secret-looking such as ssh private keys, gpg keys, etc. and bails if it detects any.

More than half those results are public keys. It's not as bad as first impressions would indicate.

I knew this was going to happen, i'm sure other goodies will be found too.

Lots of people still push their Rails secret_token.rb to their GitHub-account: https://www.google.com.au/search?q=secret_token.rb+site%3Agi...

But there is a certain probability that the token on the GitHub-page is not identical to the production site's token.

(afaik, the token is digested with the user's ID and stored in the user's cookie so a user cannot change his ID while he's signed in - knowledge of the token can let you change your ID to whatever you like)

Finally a github search that works!!!!

author should grep -v pub from the keys list.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact