if you want to set up seamless logins of an account to anywhere from anywhere, you need to copy around both because any node could either be on the client or server side of the challenge and response.
The reason that the first hit has "penis" embedded in the base64 is that I posted this to Reddit last night :-). I figured this sort of thing would be old news for HN, but judging by this having gotten 8 points in 12 minutes I guess I was wrong.
So whats the attack vector here? You have unknown users private key to a unknown service. Of course you should keep your private keys private, but exploiting this takes quite a stretch.
This is not about a conctete attack. It is about a fundamental lack of care and understanding in crypto security. These Google results demonstrate the utter sluttery of various system administrators.
In the same vein: Buffer overflows should never be tolerated, even if they were un-exploitable in some cases because of lucky circumstances.
Like with the whole "sniffing tor exit nodes" thing [1], you do wonder if it's actually the original owners who fails to protect their data, or if it's someone else [2].
I caught this via a friend of mine, and I tried it without a site: search and mostly came up with too much noise to signal in the results. I'd imagine that a lot of "paste over the Internet" sites have this problem, and I'd bet SSH keys aren't the only juicy bits you can find.
Techies almost always consider themselves quite smart. However, a big fraction of them are egregiously ignorant of important technical matters. Security has always been a problem area as far as this goes.
(OO and compiler/language implementation are two more!)
Security (both physical and infosec) is one of my biggest passions, and I've been writing about it for plenty longer than a decade. Granted, for the first several years, it was a pile of .txt files in an "e-Zine" but still...
Because you're still in the process of setting up an actually secure SSH in the first place?
If you're serious about security, scp is not secure (open to man-in-the-middle attacks) until you've transferred keys via some other channel or use a PKI that you actually pay attention to.
Not that you'd want to do so, but if you're inclined to use a pastebin for such things, I have https://privatepaste.com which does not expose pastes to indexing unless specifically requested in the vhost configuration.
It's particularly funny because on the one hand, these people are doing something of non-trivial technical sophistication, and on the other, they have zero understanding of what they're trying to accomplish.
This would be people posting their private key by mistake when someone asked for their public key to put in an authorized_keys file. Hopefully the geek on the other end told them "WTF go burn your key and start again".
[+] [-] andrewf|16 years ago|reply
Generate the public/private pair on the client machine and the public key is the one you put on other machines to SSH into them.
[+] [-] th0ma5|16 years ago|reply
[+] [-] dfranke|16 years ago|reply
[+] [-] mixmax|16 years ago|reply
http://news.ycombinator.com/item?id=639976
[+] [-] aerique|16 years ago|reply
[+] [-] FlorinAndrei|16 years ago|reply
[+] [-] zokier|16 years ago|reply
[+] [-] vog|16 years ago|reply
In the same vein: Buffer overflows should never be tolerated, even if they were un-exploitable in some cases because of lucky circumstances.
[+] [-] olefoo|16 years ago|reply
You should rekey your network on a regular schedule at least as often as you change your passwords.
[+] [-] duck|16 years ago|reply
[+] [-] stse|16 years ago|reply
[1] http://arstechnica.com/security/news/2007/09/security-expert... [2] http://pastebin.com/f4b10cc33
[+] [-] javery|16 years ago|reply
http://www.google.com/search?hl=en&safe=off&q=site%3...
[+] [-] ax0n|16 years ago|reply
Another fun one to find Cisco VPN configuration files, many of which have an encoded (reversible) password within: http://www.google.com/search?q=filetype%3Apcf+Main+Descripti...
headdesk
[+] [-] stcredzero|16 years ago|reply
(OO and compiler/language implementation are two more!)
This would be a good topic for interviews!
[+] [-] hoop|16 years ago|reply
[+] [-] romland|16 years ago|reply
Nice find and nice tip, I must say. :)
[+] [-] ax0n|16 years ago|reply
Security (both physical and infosec) is one of my biggest passions, and I've been writing about it for plenty longer than a decade. Granted, for the first several years, it was a pile of .txt files in an "e-Zine" but still...
[+] [-] njharman|16 years ago|reply
[+] [-] brazzy|16 years ago|reply
If you're serious about security, scp is not secure (open to man-in-the-middle attacks) until you've transferred keys via some other channel or use a PKI that you actually pay attention to.
[+] [-] mgrouchy|16 years ago|reply
http://www.google.com/search?hl=en&safe=off&q=site:g...
only a few actual hits in there.
[+] [-] crad|16 years ago|reply
[+] [-] vog|16 years ago|reply
[+] [-] chuhnk|16 years ago|reply
[+] [-] dschobel|16 years ago|reply
[+] [-] csmeder|16 years ago|reply
[+] [-] unknown|16 years ago|reply
[deleted]
[+] [-] jeffreyg|16 years ago|reply
[+] [-] dschobel|16 years ago|reply
[+] [-] djcapelis|16 years ago|reply
[+] [-] yan|16 years ago|reply
[+] [-] c4urself|16 years ago|reply
[+] [-] sswam|16 years ago|reply
[+] [-] sswam|16 years ago|reply
[+] [-] pykler|16 years ago|reply