I recently started getting notifications about the GitHub deprecation of basic authentication using a password to Git - see their blog post https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/.
In this post, they say the following:
For developers, if you are using a password to authenticate Git operations with GitHub.com today, you must begin using a personal access token over HTTPS (recommended) or SSH key by August 13, 2021, to avoid disruption.
A short while ago, I started using SSH keys on some of the machines I use anyway to avoid entering my password regularly or storing it unencrypted with credential helper. However, as per above, they say personal access tokens are "recommended".
What I would like to know is what are the key differences between each of these methods? This is to get some insight into why tokens are "recommended" and whether it is worth switching to this method of authentication.
When you set up SSH, you will need to generate a new private SSH key and add it to the SSH agent. You must also add the public SSH key to your account on GitHub before you use the key to authenticate or sign commits.
Be sure to refresh your keys and tokens periodically, mitigating any damage caused by keys that leaked out. Continue reading the list of 8 Azure Repos security best practices: Never store credentials as code/config in Azure Repos. Remove sensitive data in your files and Azure Repos history.
User-to-server tokens created by a GitHub App will expire after eight hours by default. Owners of GitHub Apps can configure their apps so that user-to-server tokens do not expire.
So, when you (as a user) setup your git environment you can create only one ssh-key for each machine you would like to give permission to your GitHub's account. Show activity on this post. Use a key per developer - each dev should generate their own key.
From the blog post you linked, I can see at least one benefit of tokens over SSH keys: while tokens and SSH keys both share the Unique, Revocable, and Random benefits quoted in the blog post below, tokens are also Limited in comparison to SSH keys in that they come with their own scoped permissions baked in:
While SSH keys can be read-only or read-write enabled, or scoped to specific repositories, personal access tokens do have an edge in terms of their finer-grained permissions model in comparison. This is likely why GitHub recommends tokens over SSH keys.
Tokens offer a number of security benefits over password-based authentication:
- Unique – tokens are specific to GitHub and can be generated per use or per device
- Revocable – tokens can can be individually revoked at any time without needing to update unaffected credentials
- Limited – tokens can be narrowly scoped to allow only the access necessary for the use case
- Random – tokens are not subject to the types of dictionary or brute force attempts that simpler passwords that you need to remember or enter regularly might be
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With