科技回声

13 条评论

Guyag将近 10 年前

Personal favourite <a href="https://github.com/valeriangalliat/dotfiles/blob/b227cf9b252f3c8c43a776bc20e1f1b5d0acfc13/src/ssh/id_rsa" rel="nofollow">https://github.com/valeriangalliat/dotfiles/blob/b227cf9b252...</a>

akerl_将近 10 年前

I feel like this gets posted every other month or so. I appreciate the awareness, but it doesn't seem like there's much new discussion or debate to have on the matter: folks continue to be a bit more careless with credentials than they ought to be / don't think about what pushing something to a public site means / etc, it would rock if GitHub was more proactive about messaging affected users, it sucks that it's hard to safeguard against this via technical means.If anything, I'd love to see somebody do a blog post instead about how they started scraping these results and/or the commit data firehose and messaging users who posted credentials

评论 #10080827 未加载

评论 #10080453 未加载

mosburger将近 10 年前

Hmmph. I just found a bunch of free AWS keys by searching for amazon.yml, too.What is the best way to share things like API keys among a team of developers, anyway? I'm surprised this hasn't been solved already (perhaps it has and I just don't know about it). I know you can share passwords with tools like LastPass and 1Password, and I suppose you could use those for API keys as well?It'd be nice if you could, e.g., include a gem in a Rails project, get a single key/password/token from one of the team members on that project, and use that w/ a third party API to set all the requisite API keys for all the third party services used on a project. You could also rotate the master password when team members leave the group.

评论 #10080983 未加载

评论 #10081061 未加载

评论 #10081099 未加载

评论 #10081093 未加载

评论 #10081065 未加载

评论 #10080949 未加载

daenney将近 10 年前

I see your SSH keys and raise you a .netrc: <a href="https://github.com/search?p=1&q=filename%3Anetrc&ref=searchresults&type=Code&utf8=" rel="nofollow">https://github.com/search?p=1&q=filename%3Anetrc&ref=searchr...</a>

bagels将近 10 年前

Does Github have a responsibility to help people out with this kind of thing? What do you all think?

评论 #10080207 未加载

评论 #10079892 未加载

评论 #10079921 未加载

评论 #10080078 未加载

评论 #10080548 未加载

评论 #10081221 未加载

评论 #10079916 未加载

jnevill将近 10 年前

You can search out private GPG keys as well, which is crazy-bananas. <a href="https://github.com/search?utf8=%E2%9C%93&q=filename%3Aasc+BEGIN+PGP+PRIVATE+KEY+BLOCK&type=Code&ref=searchresults" rel="nofollow">https://github.com/search?utf8=%E2%9C%93&q=filename%3Aasc+BE...</a>

评论 #10080537 未加载

avinassh将近 10 年前

And if you want to get the public key also:<a href="https://github.com/<username>.keys" rel="nofollow">https://github.com/<username>.keys</a>ex.: <a href="https://github.com/avinassh.keys" rel="nofollow">https://github.com/avinassh.keys</a>

评论 #10088654 未加载

geographomics将近 10 年前

Looks like they've blocked it now. Searching via Google still works though: <a href="https://www.google.com/search?q=site%3Agithub.com+inurl%3Aid_rsa" rel="nofollow">https://www.google.com/search?q=site%3Agithub.com+inurl%3Aid...</a>

评论 #10081089 未加载

评论 #10080994 未加载

orbjuice将近 10 年前

They have blocked the search for private keys (id_rsa) but they still need to block the search for public keys (id_rsa.pub); they're usually stored together anyway. I just did this search.

评论 #10080919 未加载

H2CO3将近 10 年前

Update: This is no longer working: <a href="https://imgur.com/uT1fCRT" rel="nofollow">https://imgur.com/uT1fCRT</a>

评论 #10081602 未加载

allworknoplay将近 10 年前

This is matching both "id" and "rsa" individually as well, so not all results are actually files with id_rsa in the name.Example: <a href="https://github.com/search?utf8=%E2%9C%93&q=filename%3Aid_rsa+whatever&type=Code&ref=searchresults" rel="nofollow">https://github.com/search?utf8=%E2%9C%93&q=filename%3Aid_rsa...</a>

adelevie将近 10 年前

I'd love to see an open source project around scanning the GitHub API and subscribing to alerts for your org's repos.

xiata将近 10 年前

People always forget about the other keys...filename:id_ed25519 filename:id_rsa filename:id_dsa filename:id_ecdsa

13 条评论

Guyag将近 10 年前

akerl_将近 10 年前

评论 #10080827 未加载

评论 #10080453 未加载

mosburger将近 10 年前

评论 #10080983 未加载

评论 #10081061 未加载

评论 #10081099 未加载

评论 #10081093 未加载

评论 #10081065 未加载

评论 #10080949 未加载

daenney将近 10 年前

bagels将近 10 年前

Does Github have a responsibility to help people out with this kind of thing? What do you all think?

评论 #10080207 未加载

评论 #10079892 未加载

评论 #10079921 未加载

评论 #10080078 未加载

评论 #10080548 未加载

评论 #10081221 未加载

评论 #10079916 未加载

jnevill将近 10 年前

评论 #10080537 未加载

avinassh将近 10 年前

评论 #10088654 未加载

geographomics将近 10 年前

评论 #10081089 未加载

评论 #10080994 未加载

orbjuice将近 10 年前

They have blocked the search for private keys (id_rsa) but they still need to block the search for public keys (id_rsa.pub); they're usually stored together anyway. I just did this search.

评论 #10080919 未加载

H2CO3将近 10 年前

Update: This is no longer working: <a href="https://imgur.com/uT1fCRT" rel="nofollow">https://imgur.com/uT1fCRT</a>

评论 #10081602 未加载

allworknoplay将近 10 年前

adelevie将近 10 年前

I'd love to see an open source project around scanning the GitHub API and subscribing to alerts for your org's repos.

xiata将近 10 年前

People always forget about the other keys...filename:id_ed25519 filename:id_rsa filename:id_dsa filename:id_ecdsa

SSH Keys on GitHub

13 条评论

SSH Keys on GitHub

13 条评论