Does deprecation of basic password authentication affect GitHub deploy keys? - github

I received an email from GitHub stating:
You recently used a password to access the repository at username/repo with git using git/2.24.3 (Apple Git-128).
Basic authentication using a password to Git is deprecated and will soon no longer work. Visit https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/ for more information around suggested workarounds and removal dates.
So I'll need to use another method for standard command line for git commits pushed to GitHub, which shouldn't be a problem.
But I wonder does this affect deploy keys? For example, in automated processes that have been running for some months or years - should we prepare for changes?
I have checked the blog post, and note that there's still plenty of time (deprecation happens 13 August 2021), but it will be important to understand any affect on deploy keys in order to prepare.

No, deploy keys are unaffected. The only thing that's affected is using a password to authenticate to Git or Git LFS over HTTPS. If you use a personal access token or OAuth token over HTTPS or you use SSH at all (whether with a personal or deploy key), those are unaffected.
The reason for this change is because knowing an account's password allows you to log into that account, change the password, and configure virtually every setting. On the other hand, a token does not allow you to log in via the web interface and is typically restricted to a limited set of scopes, and it is pseudorandomly generated. Similarly, SSH keys are also restricted in their access and are not easily guessable.
As a result, the consequences of accidentally exposing your authentication credentials are lower and the set of credentials you replace it with is unlikely to be guessable from the old exposure.

You can change from https:// remote urls to git# urls (e.g. ssh)
git remote -v # check that your remote (e.g. origin) is using https://
git remote rm origin
git remote add origin git#github.com:ORGANIZATION_OR_USER/REPO_NAME.git
git fetch --all
git branch -u origin/master master
And then you can test it:
git pull
git commit --allow-empty -m "nothing"
git push

Related

Github login best way from CLI / Git Bash

Ever since Github changed it's policy to not accept username/password anymore, I'm having a difficult time logging in when I push a branch to the remote repo.
I've tried a PKA key, but I forget it sometimes and I have to regenerate. Then I stored it in a plain text file and copy-paste when needed. And this PKA key seems like an API key for one project, instead of a way to log in manually to push changes. This seems to me like not-the-way to go. And I can imagine professionals do this in a better way.
I'm using a Linux machine and git from the terminal. And a Windows 10 machine with Git Bash (Git for Windows). How should I configure my account and computers so that I can easily run git push origin master?
Is it possible to use 2FA in a way where I log in with my account username and password and verify my login with an authenticator app on my phone? And preferably trust my computer from future logins.
It seems like you want to store your credentials globally on your machine. Store your credentials in global git configuration file.
WARNING: Your credentials would be visible to everyone who uses your machine, but the config file is usually hidden /.config.
Store your credentials on your machine globally:
git config --global credential.helper store
Next time you enter your credentials, this will store your credentials. In next consequent times, you won't be prompt to enter credentials anymore.

How to create a Gitlab webhook to update a mirror repo on Github?

I would like to create a webhook within Gitlab to automatically update a mirror repository on Github, whenever a push event happens. I've checked this page, but I didn't understand how it is done.
My Gitlab version is 6.5. Here is the configuration page:
What should I put in URL? Where do I need to place the script to update the repository?
You don't need a webhook for that. A regular post-receive hook will work very well.
To create and use such a hook you just have to login on the server where your gitlab is installed and create an ssh key for git user.
sudo -u git ssh-keygen -f /home/git/.ssh/reponame_key
(do not type any passphrase when prompted)
Go to your github account and add the public key (it's been created as /home/git/ssh/reponame_key.pub) to your project as a deploy key.
have a look at https://help.github.com/articles/managing-deploy-keys if you need help with that.
Once that is done, you just have to configure the connection between your git server and github's:
add an alias to git user's ssh configuration (add following lines to /home/git/.ssh/config - create it if it's not present)
Host reponame
IdentityFile /home/git/.ssh/reponame_key
HostName github.com
User git
Now add the new remote (using the alias you just created) to your repository:
cd /home/git/repositories/namespace/reponame.git
git remote add --mirror github reponame:youruser/reponame.git
Now that everything is in place you'll have to create the actual hook:
cd /home/git/repositories/namespace/reponame.git/hooks
echo "exec git push --quiet github &" >> post-receive
chmod 755 post-receive
The lastcommand is very important because git will check if a hook is executable before running it.
That's it!
(Replace reponame, namespace and youruser according to your real accounts and enjoy).
Last note: if you want your name andavatar near commits on github, make sure that the email address you are using on gitlab is one of the addresses inked to your github account as well. You'll see your gitlab username otherwise.
If you aren't hosting your own GitLab, GitLab.com has introduced this feature directly, without any workarounds.
From within a project use the gear icon to select Mirror Repository
Scroll down to Push to a remote repository
Checkmark Remote mirror repository: Automatically update the remote mirror's branches, tags, and commits from this repository every hour.
Enter the repository you want to update; for GitHub you can include your username and password in the URL, like so: https://yourgithubusername:yourgithubpassword#github.com/agaric/guts_discuss_resource.git —as noted in the comments, it is much better securitywise to use your GitHub access token here instead of login credentials; will update the answer when i've tested.
For WebHooks processing I'm using sinatra web server.
require 'sinatra'
post '/pew' do
puts JSON.parse request.body.read
# here can be placed signal code to run commit processing script
end
register webhook for push events(or other) to http://localhost:4567/pew within GitLab
and since this moment on each commit gitlab will be sending commit info to url.

Github sign in before a push

When I try to push my project on Github, I have to sign in every time with my Github account before the push. And I don't understand why, on certain projects I don't need to do this, only on one project.
MacBook-Pro-Firstname:ProjectName firstname$ git push origin master
Username for 'https://github.com': email#gmail.com
Password for 'https://email#gmail.com#gmail.com#github.com': *******
How can I remove the sign in process?
GitHub offers two different authentication methods for read/write access. The first, which you appear to be using, is the HTTPS method and requires username/password authentication. The other way is via SSH which uses public/private key pairs to authenticate rather than a username/password combination.
To change the URL of the repository to the SSH version, you can use git config remote.origin.url git#github.com:username/repository.git
It sounds like you already have SSH keys generated and added to your account if you don't need to authenticate for some projects, but if you don't you can set it up via this link.
I am not entirely sure but I believe you will need to create an SSH key: https://help.github.com/articles/generating-ssh-keys
You need to set up a public SSH key with Github. See this article: https://help.github.com/articles/generating-ssh-keys

Why does github keep asking me for repo credentials?

We recently moved our github from one account owner to another, and now all of the sudden when I do a git pull or any git command on the remote repo, it asks me for github username and password.
My git-config says:
[github]
user = kamilski81
token = *********
Any idea how I can stop it asking me for credentials and remember everything, does the new owner have to setup my ssh keys or something of that sort?
Following this article sorted it out for me:
https://help.github.com/articles/why-is-git-always-asking-for-my-password
git remote set-url origin git#github.com:user/repo.git
The github username and token in the gitconfig is only used for interactions with the GitHub API (for instance the hub gem and the github tool).
If you are pushing and pulling from a GitHub repository over https, then you need to specify your credentials every time, or hook into a password manager to remember the credentials for you. How to do this depends on your platform.
The easiest thing to do is to go to your github account and submit your SSH public key to your account, and then switch your github remote to push/pull over ssh instead of https.
[edit] After re-reading the question I noticed that you mentioned it was previously a GitHub repo that was just moved from one owner to another. If that's the case, and you ARE able to push and pull by specifying your credentials, it sounds to me to be one of two scenarios:
The previous remote used ssh, and GitHub has your SSH key; but when the owner changed and you updated the remote, you updated it to go over https.
The previous remote used https, but you had a password manager setup correctly to deal with your credentials, which no longer works.
After doing "remote -v"....the issue was that my remote was using an "https" remote rather than "git" remote. Changing the remote to use git rather than https solved everything.
If you execute only once git pull and Git client still asking you the credential without do the git pull for you, the problem should be because your credential is incorrect or not setup yet.
but if you get the dialog ask for credential one for each operation, it mean that your credential isn't remembered. To do that, you may use Pageant to store your SSH private key, so, everytime you do something, it will retrieve your credential from Pageant instead to asking you.

github push difficulties for new repository

I have attempted to add a new repository to github per their usual instructions with an odd rejection...
Owner#Owner-HP ~/Bescrewed
$ git push -u origin master
ERROR: Permission to TangibleDream/Bescrewed.git denied to TangibleDream/demo_app.
fatal: The remote end hung up unexpectedly
Owner#Owner-HP ~/Bescrewed
The problem is, demo_app was my last repository. The one I'm doing presently is bescrewed and should be in no way connected to demo_app.
Has anyone had this issue before?
It might be tied to an ssh issue as described in GitHub help page:
Permission to user/repo2 denied to user/repo1
This error occurs when you attach your key as a deploy key on repo1.
You can push and pull from that repo without issue, but you won’t have access to any other repo with your key.
To solve this, remove the key from repo1’s deploy keys and attach it on your account page instead. This key will now have access to all repos your account has access to.
See Deploy Keys
What are deploy keys?
Deploy keys are ssh keys just like the ones you attach to your account to allow you to push to and pull from your repos.
The only difference is that deploy keys are designed to allow access to a single private repo.
This will allow your staging or production server to pull in from your repo
The other possibility is that somehow your 'origin' remote is incorrect (check what git remote -v returns)