don't git clone over https! (beginner) anthony explains
Вставка
- Опубліковано 13 жов 2024
- in today's video I talk about git cloning when you want to make a contribution and present the benefits of using an ssh key -- I also show how to set one up
playlist: • anthony explains
==========
twitch: / anthonywritescode
dicsord: / discord
twitter: / codewithanthony
github: github.com/aso...
stream github: github.com/ant...
I won't ask for subscriptions / likes / comments in videos but it really helps the channel. If you have any suggestions or things you'd like to see please comment below!
I'm not really tech savvy, but I don't have to sign in everytime using https. Must have stored the username and password somewhere. Although, these days I use the github cli, so I don't know if that matters
Git also provides using access tokens instead. So if you don't wanna use your password to git, you can use that access token in place of your password. And what is better is that you can confine the access rights for that token. So even if somebody steals your access token, he would only be able to do things that the access token was allowed you do while compromise of SSH keys might lead to havoc.
access tokens give more power than ssh tokens. also you're specifically talking about github
Thanks for this.
Would you recommend ssh keys over api tokens as well?
As a security engineer, I would recommend ssh keys over PATs in nearly every case. GitHub did release finer scoped PATs recently, which reduces some of the risk of PATs, but ssh keys are ideal for pushing/pulling IMO since they can't be used to authenticate you to other parts of GitHub if stolen - they can only be used for pushing and pulling.
@user-lg8ev3yb5w thanks for the explanation!
I guess I’m above “beginner” level, but I always `clone` and `fetch` over (anonymous) HTTPS (for public repositories) - but then set up different push URLs (`git remote set-url --push`) for things that I have access to, so pushes _will_ go through SSH.
That tutorial worked for me. It's awesome and very professional.
Short and working. Great stuff! Thanks.
Oookay, time to rotate my ssh keys.
Would you recommend storing ssh key pairs in a password manager?
you probably could! I currently don't but maybe I should
I think you should. I use KeePass + KeeAgent for that.
I used https and it stored my password somewhere, typed it only once months ago and it still works
"somewhere" -- and the password that gives full access to your account?
@@anthonywritescode `git config --get credential.helper` gives me `osxkeychain`. If something can read my password from there, then I guess it can also read my private ssh keys. What is the difference?
You can also save your password in a file that's r/w for your user only. 🤷♂️ And never type your password again 🤷♂️
ssh keys don't give full access to your entire account
@@anthonywritescode you don't have to use a password in the credential, API key with push access only also works
Thank you! This was very helpful for me.
Newbie question here about encryption, so since you gave GitHub your public key, does that mean that they can publicly share that repo encrypted with your public key and since you have the private key you're the only one who can decrypt that information?
What about the reverse to push? Is my understanding correct that GitHub would authenticate you when you successfully decrypt the first message sent you encrypted with your public key, hence permitting you to do pushes in the session?
it's soooorta like that -- though usually the public / private key part is only used at the beginning -- then a symmetric key is agreed upon and used from there on
@@anthonywritescode makes total sense, thank you!
I wish I could take your advice-which I agree with-but my corporate overlords have a strict, MITM authenticating HTTP proxy between us employees and the Interwebs, so… cloning via HTTPS is the only option. I’m guessing that’s why GitHub suggests the HTTPS url by default: if you’re able to view the page at all, HTTPS will Just Work™, whereas SSH might not for unlucky folks like me. 🫤
sounds like it's time to find a new job lmao
Or use a Personal Access Token (PAT) and give it the permissions you want it to have
@@Tobinsvids: Oh-I _do_ use a PAT when cloning one of ‘my’ repos via HTTPS. (IIRC, this is _required_ now because GitHub no longer allows password authentication.)
@@anthonywritescode It's a universal issue between corporations it seems - in mine as well we have MITM proxy and more hoops, connecting to Azure AD and more. Tragedy. They DISABLED ssh for Azure repos, but keeps it enabled for on-prem bitbucket and gitlab...
Changing workplace won't always work, all depends what's happening in life etc. I will definitely try to move to PATs, but they expire them little too aggresively, at least for Azure CI thingie.
I've been using ssh keys for a Very Long Time™ but never thought of using a naked ssh-add ;-)
Thanks for this video! It not HTTPS, how would we clone a repo into a docker container?
in readonly scenarios https is fine, this is more about doing work on things
@@anthonywritescode Awesome, thanks for the clarification :)
Cant you just do gh auth?
Good luck doing that on Windows as a beginner :)
I had someone in my chat verify that the same commands work on windows (I also checked there)
I mean, there's too much jumping through the hoops to install the ssh client on Windows, to my taste. At least it's not git-secret though.
ssh is available out of the box on modern windows
Really? I remember the good ol days of installing Putty and whatnot to make it work. I guess I'm that old. Good to know :)
I hardly use windows and the same commands work fine for me
nice explaining
thanks man I lov u