SSH Keys on GitHub (opens in new tab)

(github.com)

98 pointsMichaelTieso10y ago44 comments

44 comments

Personal favourite https://github.com/valeriangalliat/dotfiles/blob/b227cf9b252...

I feel like this gets posted every other month or so. I appreciate the awareness, but it doesn't seem like there's much new discussion or debate to have on the matter: folks continue to be a bit more careless with credentials than they ought to be / don't think about what pushing something to a public site means / etc, it would rock if GitHub was more proactive about messaging affected users, it sucks that it's hard to safeguard against this via technical means.

If anything, I'd love to see somebody do a blog post instead about how they started scraping these results and/or the commit data firehose and messaging users who posted credentials

herge10y ago

Wasn't that the point of lulzsec?

peterwwillis10y ago

Ian Paul of PC World wrote that, "As its name suggests, LulzSec claims to be interested in mocking and embarrassing companies by exposing security flaws rather than stealing data for criminal purposes."[16] -- https://en.wikipedia.org/wiki/LulzSec

__abc10y ago

You want to be arrested as a "cyber terrorist"? Because that's how you get arrested as a "cyber terrorist" :)

mosburger10y ago

Hmmph. I just found a bunch of free AWS keys by searching for amazon.yml, too.

What is the best way to share things like API keys among a team of developers, anyway? I'm surprised this hasn't been solved already (perhaps it has and I just don't know about it). I know you can share passwords with tools like LastPass and 1Password, and I suppose you could use those for API keys as well?

It'd be nice if you could, e.g., include a gem in a Rails project, get a single key/password/token from one of the team members on that project, and use that w/ a third party API to set all the requisite API keys for all the third party services used on a project. You could also rotate the master password when team members leave the group.

Nacraile10y ago

FWIW, Amazon proactively scans GitHub for AWS key leaks, notifies the account holder, and flags the account (they will disable the account if they start seeing active abuse and can't get in touch with the actual owner to get keys rotated). So any keys you find are going to get invalidated in short order.

They're also pretty good about forgiving the charges for the fraudulent use.

> What is the best way to share things like API keys among a team of developers, anyway? I'm surprised this hasn't been solved already (perhaps it has and I just don't know about it). I know you can share passwords with tools like LastPass and 1Password, and I suppose you could use those for API keys as well?

Here, we have an IAM account for each dev. Permissions are basically read anything except a few sensitive things (billing, IAM), plus the write permissions we need as operators. We each have our own console login password, and keep our own access keys locally. It's pretty easy to add/remove accounts for new/departing devs, and the potential to individualize permissions is there.

Couto10y ago

I'm not sure if there are other ways, better or not... but blackbox[1] can be used to store secrets.

And it might be possible to achieve some success with git filters[2], at least to avoid pushing secrets into the repository.

Still... just my two cents, I'm not exactly a pro-user of those two features

[1](https://github.com/StackExchange/blackbox)

[2](https://stackoverflow.com/questions/6557467/can-git-ignore-a...)

michaelmior10y ago

If you decide to take the git filters approach, git-crypt[0] is a good choice.

[0] https://github.com/AGWA/git-crypt

tg310y ago

I worked on a project called Spore (http://spore.sh) to do this with a command-line tool. It works fairly well, although I've had a hard time communicating how it works to folks.

adelevie10y ago

I like https://fugacio.us/ a lot.

admiun10y ago

Like passwords, sharing API keys is usually a bad thing. For some sites it is overkill or simply not possible but for something like AWS there is no excuse not to make individual IAM users with their own passwords and keys.

idunno24610y ago

for AWS...dont use access tokens/secrets, and just use instance profiles(theres a few mock metadata service projects). For other things, theres a bunch of services like hashicorp's vault or amazon kms that store passwords. kms + instance roles gets you fairly close, but its not really friendly to set up

daenney10y ago

I see your SSH keys and raise you a .netrc: https://github.com/search?p=1&q=filename%3Anetrc&ref=searchr...

bagels10y ago

Does Github have a responsibility to help people out with this kind of thing? What do you all think?

nodesocket10y ago

Responsibility? No, why would they. But.... I think it would be a great feature for GitHub to passively scan repos and look for common security oversights. They could then just send an e-mail notification about the issue.

grhmc10y ago

No. There are valid cases to upload SSH keys and other certificates or secrets. Preventing it would be annoying, and near impossible to be very effective.

Just my $0.02.

jethro_tell10y ago

I agree with you, but I can't imagine a use case for a secret that's not secret.

3 more replies

jvoorhis10y ago

Certificates are not secrets.

stephenhuey10y ago

Amazon does help with it. A friend of mine recently went through a newbie programmer class and forgot the teacher instructed them to keep their AWS SSH keys out of their repo and within a 20-hour period someone racked up tens of thousands of dollars in EC2 charges! Amazon kindly refunded the entire bill.

nightmiles10y ago

It would be really cool if Github let users know when they are about to do something that is almost certainly a horrible mistake. However, is it their responsibility to stop them? I hope not. They provide a service that does exactly what it says on the box. Github shouldn't be obligated to prevent people from committing files that are otherwise valid and legal.

A better question would be: Could Github be successfully found liable for other users leaving their own keys in a public repository?

ams611010y ago

No, once they start screening content they take on liability. I'm surprised they've done as much as they have e.g. with the "retarded" controversy.

0x010y ago

I think it would be very useful for repositories to have a default server-side push hook that scans for the most common mistakes, rejecting the push while printing an URL to a page explaining what's going on and with a checkbox for opting out on the check for future pushes to that repo.

sluzorz10y ago

I don't think they remove it. I do believe that they send an automated email if they detect private keys from being committed to a public repo though. Amazon does something similar to this and they even revoke the key if they see that its public.

jnevill10y ago

You can search out private GPG keys as well, which is crazy-bananas. https://github.com/search?utf8=%E2%9C%93&q=filename%3Aasc+BE...

Kenji10y ago

So much for no forward secrecy :D

avinassh10y ago

And if you want to get the public key also:

https://github.com/<username>.keys

ex.: https://github.com/avinassh.keys

bradleyland10y ago

No need. You can recover the public key from a private key using ssh-keygen's 'y' option:

-y This option will read a private OpenSSH format file and print an OpenSSH public key to stdout.

For example:

ssh-keygen -y -f id_rsa > id_rsa.pub

geographomics10y ago

Looks like they've blocked it now. Searching via Google still works though: https://www.google.com/search?q=site%3Agithub.com+inurl%3Aid...

eykanal10y ago

Not entirely, do the same search and only subset on "text" type (not Javascript, C++, PHP...). I was able to browse through quite a few id_rsa files.

peterwwillis10y ago

id_rsa is being blocked right now, but id_dsa and id_ecdsa still work.

iamroot10y ago

adding wildcards works as well, eg: id_rsa?

orbjuice10y ago

They have blocked the search for private keys (id_rsa) but they still need to block the search for public keys (id_rsa.pub); they're usually stored together anyway. I just did this search.

netik10y ago

I don't think they've blocked it. I can still search on id_rsa without issue.

However, The majority of the keys I'm seeing are either encrypted, test fixtures, or otherwise. There are many unencrypted keys available, though!

It's still surprising that people continue to check in private keys. No one learns.

H2CO310y ago

Update: This is no longer working: https://imgur.com/uT1fCRT

iamroot10y ago

adding wildcards works, eg: id_rsa?

allworknoplay10y ago

This is matching both "id" and "rsa" individually as well, so not all results are actually files with id_rsa in the name.

Example: https://github.com/search?utf8=%E2%9C%93&q=filename%3Aid_rsa...

adelevie10y ago

I'd love to see an open source project around scanning the GitHub API and subscribing to alerts for your org's repos.

xiata10y ago

People always forget about the other keys...

filename:id_ed25519 filename:id_rsa filename:id_dsa filename:id_ecdsa

j / k navigate · click thread line to collapse

44 comments

Guyag10y ago

Personal favourite https://github.com/valeriangalliat/dotfiles/blob/b227cf9b252...

akerl_10y ago

If anything, I'd love to see somebody do a blog post instead about how they started scraping these results and/or the commit data firehose and messaging users who posted credentials

herge10y ago

Wasn't that the point of lulzsec?

peterwwillis10y ago

__abc10y ago

You want to be arrested as a "cyber terrorist"? Because that's how you get arrested as a "cyber terrorist" :)

mosburger10y ago

Hmmph. I just found a bunch of free AWS keys by searching for amazon.yml, too.

Nacraile10y ago

They're also pretty good about forgiving the charges for the fraudulent use.

Couto10y ago

I'm not sure if there are other ways, better or not... but blackbox[1] can be used to store secrets.

And it might be possible to achieve some success with git filters[2], at least to avoid pushing secrets into the repository.

Still... just my two cents, I'm not exactly a pro-user of those two features

[1](https://github.com/StackExchange/blackbox)

[2](https://stackoverflow.com/questions/6557467/can-git-ignore-a...)

michaelmior10y ago

If you decide to take the git filters approach, git-crypt[0] is a good choice.

[0] https://github.com/AGWA/git-crypt

tg310y ago

I worked on a project called Spore (http://spore.sh) to do this with a command-line tool. It works fairly well, although I've had a hard time communicating how it works to folks.

adelevie10y ago

I like https://fugacio.us/ a lot.

admiun10y ago

idunno24610y ago

daenney10y ago

I see your SSH keys and raise you a .netrc: https://github.com/search?p=1&q=filename%3Anetrc&ref=searchr...

bagels10y ago

Does Github have a responsibility to help people out with this kind of thing? What do you all think?

nodesocket10y ago

grhmc10y ago

No. There are valid cases to upload SSH keys and other certificates or secrets. Preventing it would be annoying, and near impossible to be very effective.

Just my $0.02.

jethro_tell10y ago

I agree with you, but I can't imagine a use case for a secret that's not secret.

3 more replies

jvoorhis10y ago

Certificates are not secrets.

stephenhuey10y ago

nightmiles10y ago

A better question would be: Could Github be successfully found liable for other users leaving their own keys in a public repository?

ams611010y ago

No, once they start screening content they take on liability. I'm surprised they've done as much as they have e.g. with the "retarded" controversy.

0x010y ago

sluzorz10y ago

jnevill10y ago

You can search out private GPG keys as well, which is crazy-bananas. https://github.com/search?utf8=%E2%9C%93&q=filename%3Aasc+BE...

Kenji10y ago

So much for no forward secrecy :D

avinassh10y ago

And if you want to get the public key also:

https://github.com/<username>.keys

ex.: https://github.com/avinassh.keys

bradleyland10y ago

No need. You can recover the public key from a private key using ssh-keygen's 'y' option:

-y This option will read a private OpenSSH format file and print an OpenSSH public key to stdout.

For example:

ssh-keygen -y -f id_rsa > id_rsa.pub

geographomics10y ago

Looks like they've blocked it now. Searching via Google still works though: https://www.google.com/search?q=site%3Agithub.com+inurl%3Aid...

eykanal10y ago

Not entirely, do the same search and only subset on "text" type (not Javascript, C++, PHP...). I was able to browse through quite a few id_rsa files.

peterwwillis10y ago

id_rsa is being blocked right now, but id_dsa and id_ecdsa still work.

iamroot10y ago

adding wildcards works as well, eg: id_rsa?

orbjuice10y ago

They have blocked the search for private keys (id_rsa) but they still need to block the search for public keys (id_rsa.pub); they're usually stored together anyway. I just did this search.

netik10y ago

I don't think they've blocked it. I can still search on id_rsa without issue.

However, The majority of the keys I'm seeing are either encrypted, test fixtures, or otherwise. There are many unencrypted keys available, though!

It's still surprising that people continue to check in private keys. No one learns.

H2CO310y ago

Update: This is no longer working: https://imgur.com/uT1fCRT

iamroot10y ago

adding wildcards works, eg: id_rsa?

allworknoplay10y ago

This is matching both "id" and "rsa" individually as well, so not all results are actually files with id_rsa in the name.

Example: https://github.com/search?utf8=%E2%9C%93&q=filename%3Aid_rsa...

adelevie10y ago

I'd love to see an open source project around scanning the GitHub API and subscribing to alerts for your org's repos.

xiata10y ago

People always forget about the other keys...

filename:id_ed25519 filename:id_rsa filename:id_dsa filename:id_ecdsa

j / k navigate · click thread line to collapse