Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That is not the only disturbing part. SSH private key by itself is not much of a threat, but bundled together with known_hosts is a recipe for disaster.


https://github.com/gomachan/dotfiles/tree/master/.ssh


At least now someone can push to his GitHub account to remove it for him. :-)


Not if he has a passphrase, right?


Correct.


Why would people put dotfiles like ssh keys up on public github?

This kind of thing is best suited for a private repo (github is still ok, just make it private) - cause it's most likely of no use to anyone but that single user.


I would not suggest that it's okay even for a private repo. Never let your private keys leave your machine or its dedicated, encrypted backup.


Although I would never do this myself, if the keys themselves are encrypted with a password and then uploaded, it's not nearly as bad.


In the case of ssh keys, you usually should use a different key per device/home directory and let your server accept all the keys.


And that was just the one on the first page of results I got.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: