Github refused to clone a private repo:
$ git clone https://github.com/jamesbond/secretmission
Cloning into 'secretmission'...
Username for 'https://github.com': kilojoules
Password for 'https://kilojoules#github.com':
remote: Support for password authentication was removed on August 13, 2021. Please use a personal access token instead.
remote: Please see https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/ for more information.
fatal: Authentication failed for 'https://github.com/jamesbond/secretmission/'
In my opinion, the blog they post to is not clear about what I can do here. I am trying to add a security key to see if that helps. When I try to enter a security key on firefox on my mac, I see this: github.com wants to register an account with one of your security keys. You can connect and authorize one now, or cancel. I have no calls actions available I am aware of past this point.
I'm out of my element. How do I connect and authorize a security key? When I use the firefox plugin, it asked for the issuer and secret, of which I have neither. Can I use an ethereum wallet as an authentication?
To push to GitHub, you don't need to set up a security key. A security key is a special device that plugs into the USB port, such as a YubiKey, and typically acts as a second factor.
In your case, to push, you need to use a personal access token. While Git asks you generally for a username and password, GitHub doesn't permit the use of your actual login password here. You must go to the token page and create a personal access token that has at least the repo scope. Then, when you're prompted for your password, paste the token in instead of entering your password (note that nothing will be echoed to the screen, including asterisks).
GitHub requires this for several reasons. First, passwords are generally of poor quality, whereas GitHub's tokens contain at least 128 bits of entropy and are effectively unguessable. Second, tokens can be restricted to have access to only some repositories or some functionalities, whereas having your password allows the attacker to log in and do anything. Third, tokens can be rotated or deleted if they're compromised, which is much easier than forcing the user to change their password. And finally, tokens typically have a special fixed form that makes it obvious when they're leaked, so if a token is leaked, it can be automatically revoked.
Related
I wanted to push my react project to github, but if I try putting in my username and password, I get this message:
The annoying part is when I try using a personal access token instead, I get the "fatal: unable to access 'https://github.com/samisamara/personalWebpage.git/': The requested URL returned error: 403" error.
I used all saved tokens I had on me (I always remember to save my tokens so I don't lose them) and I even tried to make a new token, but neither worked. So git is making me use my github password instead of a personal access token, but it also requires a personal access token instead. I'm basically locked out of doing any commits, and I have no idea what to do. Does anyone have a solution to this?
I found an answer to this. When you generate a new token, you have to check mark the "repo" checkbox. I didn't check mark that last time, so the key didn't have permission to actually do anything.
I am using forgot password to change my GitHub password, but it's required 2FA credentials and I lost the 2FA app as well. So is there any I can change my password without using 2FA credentials?
A list of possibilities is given in this help page on GitHub.
To summarize, you can recover your account on your own, even after losing your 2FA app, if you (already) have:
A recovery code: you can download and safely keep a list of backup codes for situations like this.
A fallback number: a second phone number associated with your account.
A security key: you can have, for example, a physical USB stick as a security key.
Without this, there are two more methods provided, but will take longer and are not guaranteed to recover your account:
Using a verified device, SSH token, or personal access token: you can apply for account recovery by proving that you are logging in from a device you have used before, or using a SSH or personal access token that has been used before. The request will be then manually considered by GitHub support.
Using an account recovery token on Facebook (if you have set it previously): This also requires manual verification.
In general, to avoid such issues in the future, it would be advisable to download (and perhaps print a physical copy) of recovery codes for each service you use 2FA with, as that would be one of the easiest and fastest ways to recover your account.
Can GitHub personal access tokens be set to single use only?
I'm reading the GitHub Personal Access Token setup guide. It appears that I create a 'token' to eliminate the need for my 2FA code when using GitHub from the command line.
I want this token to either expire after I use it, or I want the ability to delete it permanently somehow after I use it. Is this possible? Otherwise it seems to defeat the purpose of 2FA because if somebody got my token they could get into my GitHub without 2FA.
There are two options to Delete a single token or Revoke All tokens in Github.
I belong to an organization that requires 2 factor authentication, and now I can't push anything - not to the organization's repo, and not to my own personal repos. What do I do now?
And why does it work like this ???
Normally, when 2FA is activated, you can go to your PAT Personal Access Token page, and generate one that you will use for pushing: it will replace your password.
git push
Username: your_username
Password: your_token
why does it work like this?
With 2FA, your password is supposed to be protected, because anyone managing to steal that first factor (password) would still need to know a second factor to use it.
I recently wanted to use one of my old project specific GitHub account, where the two factor authentication was enabled. Since I was not able to remember the password I used the option Forgot password and reset the password.
However after successfully changing the credentials, GitHub is as usual expecting the two way authentication key, since I was not having the same device now, I don't have the GitHub configured to get the Two way authentication, neither I have any more information about the account, rather than my login credentials.
Is there any way I could get the two - way refactor working. Or I could login?
If have the credential of the GitHub account, you can login to said account, and enable 2FA
Then you can generate a PAT (Personal Access Token) in order to use that as a password (and bypass the 2fa step when pushing in command-line).
Personal access tokens are useful when it's too cumbersome to provide a client/secret pair for a full application, such as when authenticating to GitHub from Git using HTTPS, or within a command line utility or script.
Later I reset my password , and I was't having the device which i had configured my DuO Mobile. How could I login now. It is asking for 2FA and I don't have any way to provide the key.
Then you would need to follow "Recovering your account if you lost your 2FA credentials"
Having access to your recovery codes in a secure place, or establishing a secondary mobile phone number for recovery, will get you back into your account.