All,
I am using SSH to talk to github/bitbucket, sometimes it works, but sometimes it just failed left me with no clue. When trying to figure out the problem, I realize I actually not quite clear about how this works:
How the private key is selected?
We could use ssh-add or pageant to load private keys, but mulitple keys could be loaded - how ssh client decide which private key to use when I receive a challenge after sending the request?
How the public key is selected?
There are tons of public keys on GitHub server, when I send a request to github (like git push), I don't remember I need to specify my username that registered on GitHub(we do need to config the user.name, but I think that is only for tag your commits) -so how GitHub figure out which public key to use when receive a request, and even GitHub knows which user is sending the request(how?), how could it select the right public key from multiple keys - remember I could add more than 1 keys to my account.
Thanks.
The ~/.ssh/id_rsa file is selected by default.
If you need to provide another key, you can use the IdentityFile directive in your ~/.ssh/config file.
Github knows which account simply because when challenged, your system provides a username as part of your key challenge sequence, and a lookup is done. The keys are then exchanged, and either validated or rejected.
I would suggest having the man pages at your disposal. Here is a good reference for the OpenSSH project, with a lot more information about how this works in a general sense.
Github has modified their ssh daemon for their needs, but mostly, they must follow the specifications, and so externally, we won't see a difference in behavior, though we get the benefit of being able to connect to the service quickly as authenticated/authorized for whatever actions we are allowed to perform on the repositories.
Related
I would need to give access to our three git hub repositories, segregating them for working group. Each working group should be enabled to only see and operate on its own one.
I enabled the SSH pair key access method for our Company Account, going into the Company Account Settings and adding the Public Key in the SSH and GPG Keys Section. It properly works.
However, my doubt here is the following:
If I give this private key to the working groups, they would see all three repositories, while I would need to assign a different private key for each one of the repositories and working groups.
I was not able to find a section to abilitate the feature at a repository level.
Anyone who can help on this?
Many thanks,
The typical way to do this is to grant access to those repositories based on a team. If your company account is an organization, then you can create teams and assign each member to an appropriate team. Then, you can grant access to each repository in its settings to an appropriate set of teams.
If your company account is an individual account, that's not ideal. You can add some contributors to each individual repository in the settings to allow them access. You should probably convert this company account to an organization instead.
Once you've done that, then users should use their own SSH keys or personal access tokens to access the repository. You shouldn't need to give any organizational-level keys to users.
I am unable to push to git after generating a new personal access token. I've looked around at similar questions but think that I may have a more fundamental misunderstanding of how this works.
I got an email saying passwords were being phased out, so I generate a token and could no longer push a repo I've been working on using my password. From the instructions it looked like I can use the token just like a password, but to no avail. This is what the error looks like:
where I have pasted my token when prompted for password. (I've blacked out my username.) I am on Windows 10 and having checked my credentials manager do not appear to have credentials stored for github at the moment.
My questions are:
Ideas for immediate convenient fixes? I was seeing some suggestions about setting the remote-url, but a little concerned about doing this for every repo I have. I'd like to change my workflow minimally, if possible.
I'm probably grossly misunderstanding the point of the token. What is the "correct" way to set up a workflow to github? (Including maybe big changes that might take me a weekend to set up correctly, in a few weeks from now, say.) Am I supposed to set up a 2FA? (Will this change my web login at all?) Why is this more secure than a password? I've currently not setup SSH or anything else, really.
I followed a similar workflow, generating a new token (in github.com/settings/tokens), and using it as password without issues.
I just made sure:
its scope included repo, workflow, gist and user. (you can update those scopes without regenerating the token)
its expiration date was either not set, or set to a date far enough to allow me to test/use it.
The resulting token should start with ghp_
ghp_DUvWjre....(ghp_ followed by 36 alphanumerical chars)
The OP Tommy Tang confirms in the comments:
I didn't find a previous credential, so I just added a generic credential on the manager, and it works.
https://mycyberuniverse.com/how-fix-fatal-authentication-failed-for-https-github-com.html
After generating a new Personal Access Token, under 'Select Scopes', click on 'repo', then hit 'Generate new token'. This will give you a token which can be used to push code from the command line.
I am trying to give access to clone only without push. I know how to create the personal access token and created, but the thing is, I am not not sure what scope to choose from.
I pretty much tried all four, one by one and even selecting all does not work. (somehow selecting repo which will automattically check all the other 4 would work but this would give total access. I read the documenation about the scopes https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/ which doesn't really help me understanding it much.
repo Full control of private repositories
repo:status Access commit status
repo_deployment Access deployment status
public_repo Access public repositories
repo:invite Access repository invitations
Would only need clone access and nothing else.
Thanks in advance for any help suggestions.
You cannot restrict a personal access token to read-only access on GitHub. You'll need to use a deploy key and SSH in order to provide read-only access. Note that deploy keys can also have push access, so make sure you don't check that box.
We have an web application, which lets the user write code and store it in an internal git repository on our server.
Now we wanted to allow the user to share his code with his github repository. So we looked through the api documentation of github and found a way via ouath2.
However to make this work, we need to request write access from the user, but github oauth access scopes only include write access to all repository of an user, which is way too much for us.
Is it possible to restrict an api access for only one specific repository of an user?
As per jasonrudolph comment, it is not currently possible to restrict API access to a specific repository.
Deploy keys are the closest thing that provides this type of functionality. (This won't help you from an API perspective, but a deploy key might meet your underlying need.) If your application were to generate an public/private SSH keypair, and the user were to add the public key as a deploy key in the repository, then you could use the private key to access just that one repository (without having access to the user's other repositories).
The simplest OpenShift account offers up to three applications.
How would I give access to a third party, restricted to only application? They need to be able to deploy code to only that one app.
I could create a second set of SSH keys - but it seems that keys are account level access: i.e. all applications on that account.
I could create an Authorization token - but that's also at account level.
I could just share the SSH details of the application - but then when I want to close access, how would I change the details?
Feel like I'm missing something obvious here.
Thanks in advance for any pointers.
ssh keys are the way to go. The third party can provide you their public key so you can add them to your account. Then, you can give them the UUID and App URL (or git url) for just that one app. They do potentially have access to all gears within your account, but realistically, its safe to assume they can't guess the UUID of your other apps.
To revoke access, just delete the public key from your account.