How to correctly use GitHub's authentication token?

The full question is here. It’s basically about knowing how to securely use the authentication token when pushing or pulling to a GitHub repository via the Linux terminal.

Using a password manager would be the preferred solution. You could look into git-credential-cache so you don’t have to enter the token (from the password manager) for each and every push.

Using SSH with an encrypted key and ssh-agent has a similar effect.

Thank you airtower-luna. The git-credential cache is a temporary cache, so won’t be the solution I’m looking for, but storing the SSH key might work. Still, given that someone else may get access to the folder where my local SSH key is stored, it does not seem like a secure method. I’m disappointed that GitHub has taken a decision to deprecate the use of passwords for using GitHub via the commandline. From what I understand, it was the only secure and hassle-free way to work with the repositories I created.

1 Like

You can encrypt the key with a passphrase to protect it against someone who might be able to access the file system unauthorized. If you control the system I’d recommend additionally using disk encryption.

It’s most likely not secure. When people don’t use a password manager the result is usually that passwords are not very strong (easy to guess) or get reused for multiple sites, often both. It’s understandable because few people can remember a dozen or more strong passwords, but it’s also a serious problem.

On the other hand, with a password manager “remembering” a complicated token becomes a non-issue. Of course for security the password manager should be the kind that stores passwords locally with strong encryption, not the kind that pushes everything to “the could”. :wink:

1 Like

There is no way to securely use it. It’s basically a password that’s too complicated to rememeber so you’re forced to save it in a file and copy it to everywhere that you use it.

I hope y’all provide some way to use the SSH keys even if I clone using the https link.

Git already has the url.<base>.insteadOf setting, which allows you to change the URL transparently.