24 comments

[ 3.0 ms ] story [ 68.4 ms ] thread
It'd be a useful feature for github and bitbucket to have a default pre-commit that scans for probably-sensitive files and reject commits like that (maybe with a repo setting to opt out on the website, if you think you know what you're doing)

edit: In fact, they should probably run a full search for such files now and email a heads-up to users with repos that produce hits.

They might think of that as crossing a line - from just hosting and enabling you to do what you want to do to actually telling you what you want to do.
This is a big WTF moment for me. There are a ton of private keys here. I don't even know what else to say.
I almost can't believe someone would commit their .ssh directory to a public GitHub repo.

Seriously - why? Your public key, sure, but the entire directory?

The thing that kicks my ass is that the people who did this are pulling in 6 figures for their job. And they suck.
I purpose a corollary to Hanlon's razor: Never attribute to stupidity that which is adequately explained by ignorance?
ignorance is almost always the explanation
The authorized_keys and known_hosts are nice to be able to share across machines.

But of course you also want to be real careful about authenticating them (a signed tag in Git can serve that purpose).

In all likelihood, these are NOT the user's private SSH keys, but a key generated for the service that the user is developing - such as a key to run backups and issue remote commands. Thus I can well see that the key could be committed as part of an application stack.
We need a cross reference between this and Facebook graph search. For science.

(I flagged, also, because this should be told to the guys at Github, not out in the open.)

Oh, and of course, Google indexes them. Fantastic.

I shot github an email when the feature was first released their stance is that what is out in public, is out in public.
How exactly does this happen? I can understand that some people don't understand the need to keep their private key offline, but I would have thought those people aren't really aware of the existence of the private key...so how does it end up in a github repo?

    $ git add .ssh
    $ git commit
It's probably more like:

   $ git add .
   $ git commit

  # git add /
  # git commit -m 'omg im on the internet'
Yes but what is that key doing anywhere near the repository anyway?
(comment deleted)
(comment deleted)
It would be interesting to find out what % are password-protected.
(comment deleted)