Private keys committed to Github repositories

No, this is people committing their private keys to a Github repository. Github is not at fault.<p>edit: submitter has since updated the title, was: "Github giving away your private key"

Definitely a "you did what?" situation but probably still newsworthy since the new search tool makes the user's error easier to exploit and the publicity about the tool will make it more likely that someone will exploit it.

Here is how to check if you ever committed your private SSH key by accident:<p><pre><code> https://github.com/search?q=%40user-name-here+path%3A.ssh%2Fid_rsa&#38;type=Code&#38;ref=searchresults</code></pre>

Many of the items on that list are actually public keys, which should be perfectly safe to share to the world in a Git repo, but there are definitely a few private keys in there as well.

Not just github: <a href="https://www.google.com/search?q=site%3Agithub.com+inurl%3Aid_rsa" rel="nofollow">https://www.google.com/search?q=site%3Agithub.com+inurl%3Aid...</a>

I hope people take the high road here and dont make an example out of github members. People make mistakes. You dont need to delete their repo to show them. A friendly email will do.<p>Also Github, provide an option to protect those who are less security savy.

Don't forget id_dsa as well. <a href="https://github.com/search?q=path%3A.ssh%2Fid_dsa&#38;type=Code&#38;ref=searchresults" rel="nofollow">https://github.com/search?q=path%3A.ssh%2Fid_dsa&#38;type=Co...</a>

.ssh should probably be on a default .gitignore list, along with .DS_Store

for those saying that github or git should have a default rule preventing private keys from being committed, I say:<p>lolwat?<p>private keys are private. these people -know- that they are pushing a git repo to a very public site. as such, they should recognize that * is going to be visible in their dotfiles repo. it's not git or github's fault that users are doin it wrong!

Can someone just write a script that crawls this page for updates, then sends the users an email telling them what they did?

It's actually very handy to keep your private keys in a VCS (along with other dotfiles.) I keep mine in a private repository. I don't worry about it because all my private keys are encrypted with strong passphrases.

My favorite: searching for typos.<p><a href="https://github.com/search?q=legnth&#38;p=1&#38;ref=searchbar&#38;type=Code&#38;l=" rel="nofollow">https://github.com/search?q=legnth&#38;p=1&#38;ref=searchbar...</a>

Github is serving up private keys for those that added them to a git repository. I was wondering how they would be giving away my private key ... without me giving it to them.

I wonder if there's a case for a default pre-commit hook that greps for anything secret-looking such as ssh private keys, gpg keys, etc. and bails if it detects any.

More than half those results are public keys. It's not as bad as first impressions would indicate.

I knew this was going to happen, i'm sure other goodies will be found too.

Finally a github search that works!!!!

author should grep -v pub from the keys list.