Converting away from password

Hi, ALL,

I have a question.

Every time I push something to the GitHub when I’m on Windows, I am getting an E-mail stating that:

However when I’m on OSX I do not receive anything.

My OSX laptop is still using password as I didn’t switch to anything.

What seems to be the problem? Why am I being notified only 1/3 of the time (actually I’m not being notified from Linux box as well).

I’m working with only one repository.

Can someone please shed some light on this matter?

Or maybe OSX is smart enough and it did the right thing already? All by itself, without me interfering?

Thank you.

1 Like

Not sure why it isn’t complaining on macOS.

You don’t appear to have any ssh public keys associated with your account (public keys aren’t secret, just add .keys to a user’s URL and you can see them, but you must keep the corresponding private keys secret…)

I’d suggest you follow these steps:
https://docs.github.com/en/github/authenticating-to-github/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account

And then switch to using ssh for your repositories.

Hi,
Why do I need to add an ssh login to my account?
I don’t have a company - it just me. And I have my own private repository.

Are you saying that without ssh login people, including you can see what I am doing? If yes - I don’t care. When I’m done I will make the repository public and let everybody have access.

Or there is another thing I don’t see?

Besides I already generated “the passowrd” - the new way of authenticating. I just need a way to save it in all my 3 OSes I’m working with so that every time I’m pushing I won’t need to remember to type this “password”.

So why do I need an SSH and PKI? What do I get out of it?

And why is it better than new way of authenticating - thru the “token”?

Thank you.

You don’t have to. You can use SSH with public key authentication, or HTTPS with a PAT.

SSH is a lot more secure, because you use public key authentication. Your private key is never sent to the server (contrary to the token), the SSH client only mathematically proves to the server that you have control over the private key. If that’s not familiar to you, look up what a digital signature is.

For the Git layer, it doesn’t make any difference what you use.

In that case you can just use a password manager to save it, e.g. KeePassXC.

3 Likes

Hi,
I understand. My question is more to the extent of " Why do I need a secure login for the GitHub?"

What I mean is - 90% of the project that is located on GitHub are open source. Me personally, I don’t cqare if anyone will know the password I use to login to GitHub - it is not a password, more like passphrase. More over - GitHub is not a credit card company, it is not a bank or any financial institution or a government agency,. And it is not a social network. Why do I need to care about secure login? But again - you don’t have to answer.

Now about KeePassXC - does it work on Windows, Linux and Mac? Is it integrated with GitHub? On Linux - does it support both GNOME and KDE? Is there a good documentation about? Or there a GitHub tool that can help?

Thank you.

Illicit access to GitHub is way worse than to a social network. If someone is able to push harmful code to a widely trusted repository or even create malicious releases the damage could be catastrophic, because the code might quickly end up on thousands, if not millions of devices. Some of the most popular open source projects in existence are hosted on GitHub. Open Source does not mean worthless, quite to the contrary, exactly because it can be widely used. Unless the code you push is of absolutely no interest to anyone you should care about making sure it can’t be tampered with.

As for KeePassXC, the documentation is excellent and should answer the rest of your questions.

1 Like

The question you’re asking is fundamentally:

If someone else chooses to rely on your code, and someone hacks your code, then people will think it’s your fault. Now, you can hand wave it say “open source”, “no warranty”, caveat emptor, but at the end of the day, people care.

Worse, if someone can log in as you, they can make PRs into other projects as you. Consider the consequences for a University caught abusing other people’s trust:

GitHub does process credit cards. And people launder stolen credit cards. And GitHub offers CPU cycles for money. GitHub is actively fighting people abusing its CPU resources. But what if someone uses your account (because you publish your password/use a guessable one) along with someone else’s stolen credit card to do BitCoin mining? Someone is going to want the money back. And the credit card was charged by your account. Why shouldn’t GitHub point the finger at you?

I know, it’s work, but today (and really 20 years ago), you should have switched from “username” + “reused and guessable password” to “username” + “per site password randomly generated and stored by a password manager” + “2FA” (TOTP or better) for essentially every service to which you have an account. With hand waiving for services that do not use passwords at all and instead use OAuth2 delegation to defer to a service which is protected by 2FA as thus described. And you should be closing any accounts with any service that doesn’t provide either 2FA or OAuth2. For everyone’s well-being.

1 Like

For ssh, generate a key on each computer, add each key to GitHub, move on with life. No more password entry when you push to GitHub.

For personal passwords, I just rely on Chrome’s password syncing (my Google account is protected by 2FA).

I’ve contributed to KeePassXC (and use it daily).

Yes, it works on Windows, Linux, and Mac:

https://keepassxc.org/download/

Yes, it has browser integration:

https://keepassxc.org/docs/KeePassXC_GettingStarted.html#_setup_browser_integration

For ssh, generate a key on each computer, add each key to GitHub, move on with life. No more password entry when you push to GitHub.

I did exactly that (or so I thought) and it did not work. I’d appreciate feedback from you or anyone else here: I thought I had set up SSH authentication, but apparently not

Josh,
I am aware of all those issues - after all I was in US Army IT for quite some time.

Now what I’m very curious is - how can a person log in to github as me? (S)he needs to know my login ID (not E-mail address) and the passphrase I’m using for the login. And most importantly - (s)he needs to know that this login id is actually connected to me. GitHub is smart enough to not to request E-mail as login id: rather they use actual login id.

I also understand why they want to protect paying customers - after all that’s how they make money and they want to protect their identities. Now I am not stupid (and I’d like to give other people the benefit of the doubt) and will never publish my credentials to the public sites and of course to any financial institutions I use. I would rather create a system with at least 2 way login: something you have and something you know. Unfortunately this is not feasible at this point of the life in our society, and so only military uses it. But I would spread it all around the Internet for any financia transaction. Sorry I’m dreaming now. :wink:

Anyway. using ssh of course does not guarantee that the account will be secured, because GitHub can be cracked and all those stuff can be stolen.

Now I am not using an easily guessable password. I’m using in fact almost everywhere “a passphrase”. And I NEVER store it anywhere, I NEVER write it anywhere. Because when I was in school my brain was taught to hold a big number of information.
And unfortunately this is not the case with the current generation. But this is ranting again and probably off-topic. :wink:

So as you can see - all this security thing is not something new to me. But at the same time I hate saving the password somewhere on my machine. Because if the password is saved locally - it is not secure. Period.

Now what I think you were talking about is a “personal token” - the stuff that is generated every time a person is trying to login and therefore needs to enter. This is called “Personal token” and I know that Northrop is using a special device that generates it every time an employee is trying to login to Northrop web site.

I currently work for the company that is using mobile app to generate such a token in order to let employee have access to their portal.

If GitHub is so concerned about security - why not make an application that will generate such a token and provide it as part of GitHub integration? Then literally no one will be able to use the GitHub account and cracking it will be of no use. Every time I, as a user want to connect, that app will generate the token and will let the connection go after I approve with the app.

Actually this is exactly what I’d like to avoid - having different key/token/password for different machine. Its just me. Nobody else. I am a one person. I do my own development in my spare time and use GitHub as it let me share the code between all 31/2 different OS: Windows, Linux (GNOME), Linux (KDE) and OSX.

My project is far from finished and I want to use one way of connection from all my laptops.

From time to time I might submit a PR to the library I’m using for cross-platform development, but it is not a requirement, because they have a bug tracking system where I can send a patch.
So basically what I’m looking for is a way to push my code from all 3 and 1/2 different OSes: Windows 8.1, Linux (GNOME 3 and KDE 5) and OSX 10.13 and 10.8.

As far as I understand I don’t want to use ssh, since it will require generating the 4 different keys and this is not what I want AFAIU.

So, I do have a “token” (or whatever GitHub is called “token”), but now I need a way to store it somewhere on all 3 and 1/3 platforms so “git push” will start using it.

Unfortunately GitHub documentation does not explain how to save it somewhere locally (even though I hate it with all my guts - I don’t have a choice; no one in their right mind will be able to remember that nonsense).

I am sure you have a way to help, so PLEASE, PLEASE, PLEASE explain it to me like I am a 6-years old child. Or point me to such documentation.

Because remember - if you are the developer, security is n0ot your strength. And vice versa.

Thank you.

ELI5

Windows 8.1

(Assuming you’ve installed Git for Windows which should give you ssh and let it add everything to your path.)

  1. Open a command prompt (that has git in the path)

  2. Generate an ssh key

    ssh-keygen
    

    press <enter> a bunch of times.

    Now you have a private key. You just leave it alone.

  3. Copy the public key to your clipboard

    clip < "%USERPROFILE%\.ssh\id_rsa.pub"
    

    Ref: clip.exe

    If clip doesn’t work:

    1. Open the file in notepad:
      ​ start "" notepad "%USERPROFILE%\.ssh\id_rsa.pub" ​
    2. <ctrl>-a (Select all)
    3. <ctrl>-c (Copy)
  4. Visit https://github.com/settings/ssh/new

  5. Paste the public key into the key field

  6. Enter the name of the computer (Windows 8.1) into the title.

  7. Click Add SSH Key

Linux

  1. Open a Terminal

  2. Generate an ssh key

    ssh-keygen
    

    press <enter> a bunch of times.

    Now you have a private key. You just leave it alone.

  3. Copy the public key to your clipboard

    xclip ~/.ssh/id_rsa.pub || xsel --clipboard < ~/.ssh/id_rsa.pub || xdg-open ~/.ssh/id_rsa.pub 
    

    (xclip is friendlier, but you might not have it, xsel should work, worst case, xdg-open is hopefully there to open the file in something – pick a text editor, you’re just going to select-all + copy – same as with Windows above.)

  4. Visit https://github.com/settings/ssh/new

  5. Paste the public key into the key field

  6. Enter the name of the computer (Linux Gnome / Linux KDE) into the title.

  7. Click Add SSH Key

macOS

  1. Open a Terminal

  2. Generate an ssh key

    ssh-keygen
    

    press <enter> a bunch of times.

    Now you have a private key. You just leave it alone.

  3. Copy the public key to your clipboard

    pbcopy < ~/.ssh/id_rsa.pub
    
  4. Visit https://github.com/settings/ssh/new

  5. Paste the public key into the key field

  6. Enter the name of the computer (macOS) into the title.

  7. Click Add SSH Key


You can technically copy the .ssh directory contents between your computers (especially the public/private keys), but the benefit of not doing it is that when a computer is stolen/compromised/destroyed, you can delete the keys from your public keys in GitHub and move on instead of replacing your keys everywhere else.

Hi,
You gave a solution for ssh.

But I don’t want that. I want a unificated solution with the token, so all my machines will be using the same way of communication.

Or ssh IS a token?

Thank you,

You can treat SSH as a token, and if you want to use the same token you can copy your private key to each computer.

The alternative is a personal access token.

But for that, you have to figure out how to save/manage it, and while it’s fine if you’re using it in GitHub Secrets or other things (that store random individual secrets), it’s really not something I’ve found a good way to manage for normal git operations.