Github Tokens
What do you guys think of git requiring the use of tokens in order to do anything from your computer?
I personally use the git command line tool, and this is what's recommended by github to do in such a situation: https://cli.github.com/manual/gh_auth_login
So they recommend that I store the token in a text file somewhere on my computer, and create a script that reads that file.
So I'm being told to save my "Password" into a file on my computer, and to write a human readable script file that would tell a hacker exactly where that file is stored.
And this is safer than memorizing a password and entering it at login or during a git push? I'm still entering my password into the browser to log into the website anyways...
I personally use the git command line tool, and this is what's recommended by github to do in such a situation: https://cli.github.com/manual/gh_auth_login
So they recommend that I store the token in a text file somewhere on my computer, and create a script that reads that file.
So I'm being told to save my "Password" into a file on my computer, and to write a human readable script file that would tell a hacker exactly where that file is stored.
And this is safer than memorizing a password and entering it at login or during a git push? I'm still entering my password into the browser to log into the website anyways...
Last edited on
This all just feels like a logistical nightmare.
Who's got this token?
Who's actually supposed to have that token?
What permissions did I actually give person X. How can they exploit said permissions?
Why can't I give multiple tokens the same note if they have identical permissions?
How do I safely send the same token to group A (is basic email safe enough?)
Why am I worrying about any of this if my github gets maybe gets 3 unique views a year and I just use it to manage projects between my three computers?
Who's got this token?
Who's actually supposed to have that token?
What permissions did I actually give person X. How can they exploit said permissions?
Why can't I give multiple tokens the same note if they have identical permissions?
How do I safely send the same token to group A (is basic email safe enough?)
Why am I worrying about any of this if my github gets maybe gets 3 unique views a year and I just use it to manage projects between my three computers?
I was thinking about creating a github repository, but with this idiocy not gonna happen.
Tokens are used when a web-based login isn't possible. For example, when git is running on a VPS and you have some process that automatically updates the installation. In that case, it doesn't matter much if an attacker gets access to it. You'd usually only give the token read access, and there's nothing else that can be done with it.
But why would you make them mandatory!!????
This feels like google and or microsoft pulling their embrace, extend, extinguish routine.
This feels like google and or microsoft pulling their embrace, extend, extinguish routine.
Last edited on
Are they mandatory? I don't think so. When I use Git on my PC the first time a web browser opens up asking me for a login and then Windows saves that credential from then on.
What exactly is being EEE'd here? Git already supports various authentication protocols.
| This feels like google and or microsoft pulling their embrace, extend, extinguish routine. |
@helios, the token may not be mandatory, but github has stopped supporting my default browsers.
I ain't gonna go default with Edge.
I ain't gonna go default with Edge.
Hmm. I'm one of those weirdoes that use only Linux machines in daily life. Our cli interface requires it from August 13th onwards. I thought that was a global requirement in their website api for all platforms but I don't have any other OS to check that on...
Edit:
I wasn't aware of other options, this is all that git tells me when I try to push with my password
On the site provided it does mention 2 step verification and a ssh key. Is this a simpler option?
I'll defend the EEE accusation as this whole thing is more complicated than what a beginner would feel comfortable tackling. I'm a hobbyist and I'm highly annoyed by it. Now it also sounds like certain browsers are required to use certain features as Furry Guy mentions. Yes, this feels like an attack on community growth potential, and a pruning of hobbyists such as myself.
Edit:
I wasn't aware of other options, this is all that git tells me when I try to push with my password
| remote: Support for password authentication was removed on August 13, 2021. Please use a personal access token instead. remote: Please see https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/ for more information. fatal: Authentication failed for 'https://github.com/userName/etc. |
On the site provided it does mention 2 step verification and a ssh key. Is this a simpler option?
I'll defend the EEE accusation as this whole thing is more complicated than what a beginner would feel comfortable tackling. I'm a hobbyist and I'm highly annoyed by it. Now it also sounds like certain browsers are required to use certain features as Furry Guy mentions. Yes, this feels like an attack on community growth potential, and a pruning of hobbyists such as myself.
Last edited on
| I ain't gonna go default with Edge. |
I've been using Microsoft Edge for a while now, it's been good. I had Chrome, went to Brave - hated the sales pitch every time I opened a new tab, then tried Edge. Have no reason to switch.
Part of me wants to go to Firefox, but I also have gotten really use to Chromium-based browsers.
| I'll defend the EEE accusation as this whole thing is more complicated than what a beginner would feel comfortable tackling. I'm a hobbyist and I'm highly annoyed by it. Now it also sounds like certain browsers are required to use certain features as Furry Guy mentions. Yes, this feels like an attack on community growth potential, and a pruning of hobbyists such as myself. |
can't change edge's start page. its unusable to me like that.
i think having security is the way of the future, and a batch file can handle it. Just gotta save that token somewhere else in case your disk crashes.
If you don't want to deal with the token using cli, get something like vs code, which is a terrible editor but it has a fairly easy to use and friendly git interface.
It seems like a non-issue to me. Its annoying, but they tell you how to resolve it and there are tools out there to hide it behind an interface. Just about everything I work with has some annoying feature, nothing new there either unfortunately.
you can run a local git server, right? I don't know if you can disable this feature as the admin of the repository or not, though. I have not done this.
i think having security is the way of the future, and a batch file can handle it. Just gotta save that token somewhere else in case your disk crashes.
If you don't want to deal with the token using cli, get something like vs code, which is a terrible editor but it has a fairly easy to use and friendly git interface.
It seems like a non-issue to me. Its annoying, but they tell you how to resolve it and there are tools out there to hide it behind an interface. Just about everything I work with has some annoying feature, nothing new there either unfortunately.
you can run a local git server, right? I don't know if you can disable this feature as the admin of the repository or not, though. I have not done this.
I have a Gogs server at home and it only asks for user and password over the command line. It's not even about disabling a feature. A Git server operator has to specifically implement login requirements. If you were to run the bare minimum Git server it wouldn't even ask for credentials.
maybe they fixed it? For a while, you simply could not change it, you got M$ start page regardless of any settings.
I don't see an issue with setting start page(s) or setting the home button destination. The new tab page can't be changed...I guess I'm too used to opening a new tab and clicking the home button now.
For my sins, I have Bing set as my home page anyway.
For my sins, I have Bing set as my home page anyway.
| maybe they fixed it? |
For me, make a new tab, there's a gear on the very right, choose custom, then you can put whatever picture you want. If you mean the page that the browser opens automatically, you can change that in the settings the same as Chrome.
I personally have it so it picks up where I left off, so that I don't lose my open tabs if I decide I want the browser to be closed.
that sounds like it. It would not go to a startup/home page, I couldn't remember the details, but I got rid of it over that malfunction.
Personal access tokens
https://github.com/settings/tokens
Therefore tokens are nothing special compared to separate SSH key accompanied with GPG key.
There is no additional layer of security, after all, your token just like SSH key is as secure as your local PC user account.
The purpose of tokens is workflow automation, to be used by machine to perform preprogrammed task that requires login to remote, not to be used by end user for authentication..
| Personal access tokens function like ordinary OAuth access tokens. They can be used instead of a password for Git over HTTPS, or can be used to authenticate to the API over Basic Authentication. |
https://github.com/settings/tokens
Therefore tokens are nothing special compared to separate SSH key accompanied with GPG key.
There is no additional layer of security, after all, your token just like SSH key is as secure as your local PC user account.
The purpose of tokens is workflow automation, to be used by machine to perform preprogrammed task that requires login to remote, not to be used by end user for authentication..
Last edited on
Topic archived. No new replies allowed.