Comment by hoppp
3 days ago
Much worse, instead of the data gone it's a data leak.
Those ssh keys can be used to access private servers
3 days ago
Much worse, instead of the data gone it's a data leak.
Those ssh keys can be used to access private servers
SSH keys can be limited by IP in authorized hosts.
The SSH port itself can be limited by IP in firewalls.
Finally, the SSH private key can be encrypted with a password.
Defense in depth is needed. Storing a ssh private key in plain text with no IP restriction is no different to having a password manager store your passwords in plain text on your HD.
All those things are optional.
Doesn't make uploading the keys that much better. Now is the time for key rotation everywhere. Fast.
How are they optional?
You obviously haven't worked anywhere security sensitive.
I'm not talking about whether what Grok did is bad or good, I'm talking about protecting your private key and the servers you connect to.
An unencrypted private key is no different to an unencrypted password manager, and thats a fact. Dont store secrets in plain text.
3 replies →
Well, those ssh keys are protected by a strong passphrase, right?
The passphrase is optional, not everyone has it.
It also has to be a secure password, people often don't care because it's a local file and generally not exposed to the internet.
I am sure majority of people don't use password for ssh keys. The good solution is to use password manager like 1password which will prompt you to approve ssh.