Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Users Search
Help Dashboard Sign In Sign Up
Q&A Meta
Q&A
Posts Tags Edits
Ask Question

Welcome to the Power Users community on Codidact!

Power Users is a Q&A site for questions about the usage of computer software and hardware. We are still a small site and would like to grow, so please consider joining our community. We are looking forward to your questions and answers; they are the building blocks of a repository of knowledge we are building together.

How to use GitHub Personal Access Token?

+8
−0

I have repositories on GitHub, and have been using a user name and password to access them. All was working great. I could use various GIT commands on the command line, and GIT would automatically supply the password I entered once a long time ago. It saves this in a file in my personal directory.

I'm not too concerned about security, especially anyone else using any of my machines. I was fine with a user name and password.

Unfortunately, GitHub is now insisting on stronger security, whether I care or not. Authentication with just a user name and password won't work anymore soon. According to the nasty-gram emails I get, I need to use something called a Personal Access Token.

I went to the GitHub web site and generated such a token. To be sure I'm really using it, I deleted the lines associated with GitHub from the GIT CRD file (where login credentials are kept). Unfortunately, now I can't get access anymore. For example:

C:\embed\source\util>git push -u origin master
Fatal: HttpRequestException encountered.
Username for 'https://github.com': OlinLathrop
Password for 'https://[email protected]':
remote: Invalid username or password.
fatal: Authentication failed for 'https://github.com/EmbedInc/util/'

Before this test, there was nothing in my GIT CRD file applying to GitHub at all.

Even before it asks me for my user name, the error on line 2 shows up. What is that all about? I never got that before.

I enter my GitHub user name on line 3, then it asks me for my password on line 4. According to GitHub, the new token is supposed to work like a password. I try to paste it in response, but echo is turned off so I don't know if the paste worked. It's something like 40 characters of gobbledygook, so not much chance of typing it correctly, especially when I can't see the result.

In any case, the request always fails.

I generally use GIT from the command line, including doing pulls and pushes to "remote", which is set up to point to the repository on GitHub in this case. If I type my old password instead of the new token, it works, and the appropriate entry is added to the GIT CRD file.

How do I access my GitHub reposistories with the new Personal Access Token when using GIT on the command line?

Alternatively, How can I set up my GIT CRD file so that GIT automatically supplies the necessary credentials?

This is on machines running Windows 7 and Windows 10. The above example was on Windows 7.

Why not just use SSH?

Because

  1. I'm not familiar with it. I'd rather keep doing what I've been doing. I've got firmware and software to get on with. Sys admin activities are just overhead for me, and it's not my expertise.
  2. I thought SSH means running a command shell on my local machine, that is actually executing commands on a remote machine. I don't see how that solves the problem. I'm having problems with GIT commands running locally, trying to access a remote repository.
  3. I thought the first S in SSH stands for "secure". That implies some authentication mechanism. It seems this is just pushing the problem from one place to another. If GitHub insists on the personal authentication tokens, I expect they're going to want them for all means of access to their site.
  4. I have various GIT actions canned into scripts.

The answer by ArtOfCode suggests to update GIT, so I did that. I installed the latest as of an hour ago. Before the update "git --version" said 2.7.3.windows.1, and now it says 2.23.0.windows.1.

However, now I have a different problem when I try the same thing as above:

remote: Password authentication is temporarily disabled as part of a brownout. Please use a personal access token instead.
remote: Please see https://github.blog/2020-07-30-token-authentication-requirements-for-api-and-git-operations/ for more information.
fatal: unable to access 'https://github.com/EmbedInc/util/': The requested URL returned error: 403

I am trying to use the personal access token, but wasn't given an opportunity enter it. There were no prompts or popups. The message above came out immediately.

What do I do with the personal access token so that it eventually gets passed to GitHub when needed? I went to the URL above, but that was a general description of how they are getting more strict with security, and the details were over my head as a GIT user that just wants to push and pull to repositories on GitHub occasionally.

SSH Confusion

There have been more comments about using SSH that don't make sense to me. Right now, I run GIT commands by entering them on the command line, or by running BAT files that run GIT for me.

SSH is a separate shell that lets you run commands on a remote system. How does that address the problem? I'd first have to run SSH to get into this remote shell, then run GIT commands. However, then I'd be running GIT on the remote machine. It sounds like quite a hassle to have to go back and forth between running commands locally and on the remote machine, but how does running them on the remote machine help in the first place? I'm still working in my local repository. I just want to pull and push to a remote repository. Are you saying I'm supposed run a pull remotely when I really want to do a push, for example. But then how would the remote machine be able to access my data? That sounds like a huge security hole, even if I did know how to set it up.

I'm obviously missing something here.

authentication github
posted over 4 years ago
4y ago by FoggyFinder‭
user card
Olin Lathrop‭
1103 reputation 6 31 94 27
History

2 comment threads

OS (3 comments)
SSH? (5 comments)

2 answers

Score Active Age
+5
−0

You should be able to use a PAT like a password as you've been trying to. I think what's blocking you is your Git version: see this SO question, which suggests that error comes from the Git client using TLS 1.0, which GitHub has recently dropped support for. Try to upgrade your Git client version, then try again.

posted over 4 years ago
user card
ArtOfCode‭ staff
211 reputation 0 5 21 2
History

1 comment thread

Thanks for your help. I updated GIT, but now get a different error message. I have updated the ques... (1 comment)
+2
−0

Art's answer is correct: a PAT just replaces a password in your existing HTTPS credential use. I'm going to write a bit more about why they did this, hopefully addressing some of your "SSH Confusion" section.

SSH

SSH in its default state does, like you suggested, let you run commands on a remote computer. But if you try that on GitHub, you're going to get this chipper message and an immediately closed connection:

Hi $your_name! You've successfully authenticated, but GitHub does not provide shell access.

So you don't have to worry about running commands on the remote. GitHub won't even let you!

The SSH authentication mechanism is used for other things, too. Several of them, like Git, are for data transfer.[1] When you push or pull, you're just sending instructions for the remote to receive or supply the same set of files that your HTTPS push and pull did. There are no commands you run on the remote. Your existing sync scripts don't even need to change.

The neat things about the authentication are

  • Your key never leaves your computer to authenticate
  • Your key is super-long
  • You authenticate the server (after the first time) as well as the server authenticating you. You don't have to check that its TLS cert is signed by a CA you trust.
  • You can involve an external hardware security device to authenticate for a "something you have" factor.[2]

HTTPS

By contrast, when you establish a TLS connection with basic auth, you do end up sending the password over the wire. The tunnel is secure, but the remote gets your full-access password. And because you can't have multi-factor authentication in the Git credential flow,[3] anyone who phishes or brute-forces that password can download, tinker, and modify all your repositories.

When GitHub forces you to use a PAT, they

  • Generate a long random string, negating the brute force concern of a badly-chosen password
  • Show it to you only once, since you can't tell it to anyone if you save it in your cred manager and never look at it again
  • Restrict its access, narrowing the damage it could do if leaked

  1. Other examples include scp ("secure copy") and sftp, which is good old File Transfer Protocol with SSH authentication and encryption. ↩︎

  2. Sometimes people argue over whether an SSH key is something you know (since you don't "know" it) or something you have. Ultimately every security factor is "something you can sufficiently assert to the authenticating party," but a hardware key can't be copied if your computer is compromised. ↩︎

  3. It is not strictly true that you can't have MFA in the HTTPS auth flow–I have encountered it–but it requires special endpoint-specific handling in the credential manager. ↩︎

posted 5 months ago
5mo ago
user card
Michael‭
694 reputation 11 19 87 50
History

0 comment threads

Sign up to answer this question »