New github authentication

I am receiving emails from github warning me that password access will be disabled.

Following the docs links they send me, it seems that I have to generate a “token” and use that as a password from now on. That is a long string, that I will obviously have to store non-protected in my computer. On one side, having to find, copy and paste the token every time I commit something is very annoying. One the other side, that does not seem more secure that a password, since I have to store it in my machine.

What it the reasonable way to proceed here? Any tips?

I use Enpass for my passwords and put my GitHub PAT there. Still in case I have to copy it from there. But this is safe and convenient.

1 Like

If it is for commits, then why don’t you want to use common ssh keys? You can password protect them if you want too. They’ve been around for a very long time and secure and reliable.

5 Likes

Yes, I am trying that now. But I am struggling a bit to find out how to clone, commit, push, etc, using the ssh key. I have added the public key to the account, but the docs on what to do next are not very clear.

I found a clear tutorial now, and cloning the repo using this makes the ssh work:

git clone git@github.com:NAME/package.jl

(the tutorial, this one very clear, is here, but in portuguese: https://kamarada.github.io/pt/2017/04/09/usando-chaves-ssh-com-o-git/#.X-IwBNZ7ldM)

I think that after doing that you only need to change your repository’s remote url to use ssh instead of https. After that, you just push commit and pull the way you have been doing it.

You can see if you are using https by doing:

git remote -v in your repo. If the urls start with https, then you can change it to ssh.

from here:

Switching remote URLs from HTTPS to SSH

  1. Open Terminal.
  2. Change the current working directory to your local project.
  3. List your existing remotes in order to get the name of the remote you want to change.
$ git remote -v
> origin  https://github.com/USERNAME/REPOSITORY.git (fetch)
> origin  https://github.com/USERNAME/REPOSITORY.git (push)
  1. Change your remote’s URL from HTTPS to SSH with the git remote set-url command.
$ git remote set-url origin git@github.com:USERNAME/REPOSITORY.git
  1. Verify that the remote URL has changed.
$ git remote -v
# Verify new remote URL
> origin  git@github.com:USERNAME/REPOSITORY.git (fetch)
> origin  git@github.com:USERNAME/REPOSITORY.git (push)
3 Likes

AFAIK they are only disabling Username + Password for API Access
Not for their website, nor for making commits.

I didn’t even know that github let your auth for the API using password and username,
and i have been using github API since long before November 2019.

Instead of doing passoword you do the OATH process with a token – like every other web API.
Storing these tokens is always a bit annoying, i generally put them in a little bash-script that stores them into enviroment variables. Which is hella insecure, but also since they are tokens (and not my actual credentials) I have them created with restricted permissions – read only, no write.
And i can (and occationally do) redactly them when i am finished with them.

It would be really nice to have a OAuth package for julia that can do the full OAth flow, and that started up a locally HTTP.jl server to accept the token etc, and has some built in encyption so you can have it hidden behind a user provided password.

2 Likes

Probably it doesn’t help the fact that I do not know what exactly the API is :frowning: . I get those messages and my reaction is: what can I do to be sure I won’t loose access to my account? And following their links one gets into a spiral of options, with me having to install applications in the phone between them. I start to feel like my father, who is an active computer scientist and is incapable of printing a pdf file. Time to start training my baby to help me with the new technologies.

1 Like

Additionally, today we are announcing our intent to similarly require the use of a personal access token, OAuth token, or SSH key for all authenticated Git operations at a future date.

IIUC, “Git operations” means command-line Git operations.

2 Likes