don't git clone over https! (beginner) anthony explains

Рет қаралды 16,561

Жыл бұрын

in today's video I talk about git cloning when you want to make a contribution and present the benefits of using an ssh key -- I also show how to set one up
playlist: • anthony explains
==========
twitch: / anthonywritescode
dicsord: / discord
twitter: / codewithanthony
github: github.com/asottile
stream github: github.com/anthonywritescode
I won't ask for subscriptions / likes / comments in videos but it really helps the channel. If you have any suggestions or things you'd like to see please comment below!

Пікірлер: 37

@hamzasayyid8152 Жыл бұрын

I'm not really tech savvy, but I don't have to sign in everytime using https. Must have stored the username and password somewhere. Although, these days I use the github cli, so I don't know if that matters

@MartinFiala-vw6pd Ай бұрын

Short and working. Great stuff! Thanks.

@michalroesler 8 ай бұрын

That tutorial worked for me. It's awesome and very professional.

@OrCarmi Жыл бұрын

Thanks for this. Would you recommend ssh keys over api tokens as well?

@Jason-jb1tf Жыл бұрын

As a security engineer, I would recommend ssh keys over PATs in nearly every case. GitHub did release finer scoped PATs recently, which reduces some of the risk of PATs, but ssh keys are ideal for pushing/pulling IMO since they can't be used to authenticate you to other parts of GitHub if stolen - they can only be used for pushing and pulling.

@OrCarmi Жыл бұрын

@user-lg8ev3yb5w thanks for the explanation!

@mrswats Жыл бұрын

Oookay, time to rotate my ssh keys. Would you recommend storing ssh key pairs in a password manager?

@anthonywritescode Жыл бұрын

you probably could! I currently don't but maybe I should

Жыл бұрын

I think you should. I use KeePass + KeeAgent for that.

@Daloshka 13 күн бұрын

nice explaining

@drz1 Жыл бұрын

Newbie question here about encryption, so since you gave GitHub your public key, does that mean that they can publicly share that repo encrypted with your public key and since you have the private key you're the only one who can decrypt that information? What about the reverse to push? Is my understanding correct that GitHub would authenticate you when you successfully decrypt the first message sent you encrypted with your public key, hence permitting you to do pushes in the session?

@anthonywritescode Жыл бұрын

it's soooorta like that -- though usually the public / private key part is only used at the beginning -- then a symmetric key is agreed upon and used from there on

@drz1 Жыл бұрын

@@anthonywritescode makes total sense, thank you!

@xscorp382 Жыл бұрын

Git also provides using access tokens instead. So if you don't wanna use your password to git, you can use that access token in place of your password. And what is better is that you can confine the access rights for that token. So even if somebody steals your access token, he would only be able to do things that the access token was allowed you do while compromise of SSH keys might lead to havoc.

@anthonywritescode Жыл бұрын

access tokens give more power than ssh tokens. also you're specifically talking about github

@guntbert9709 Жыл бұрын

I've been using ssh keys for a Very Long Time™ but never thought of using a naked ssh-add ;-)

@VijayJaisankar Жыл бұрын

Thanks for this video! It not HTTPS, how would we clone a repo into a docker container?

@anthonywritescode Жыл бұрын

in readonly scenarios https is fine, this is more about doing work on things

@VijayJaisankar Жыл бұрын

@@anthonywritescode Awesome, thanks for the clarification :)

@evadeflow Жыл бұрын

I wish I could take your advice-which I agree with-but my corporate overlords have a strict, MITM authenticating HTTP proxy between us employees and the Interwebs, so… cloning via HTTPS is the only option. I’m guessing that’s why GitHub suggests the HTTPS url by default: if you’re able to view the page at all, HTTPS will Just Work™, whereas SSH might not for unlucky folks like me. 🫤

@anthonywritescode Жыл бұрын

sounds like it's time to find a new job lmao

@Tobinsvids Жыл бұрын

Or use a Personal Access Token (PAT) and give it the permissions you want it to have

@evadeflow Жыл бұрын

@@Tobinsvids: Oh-I _do_ use a PAT when cloning one of ‘my’ repos via HTTPS. (IIRC, this is _required_ now because GitHub no longer allows password authentication.)

@d3stinYwOw Жыл бұрын

@@anthonywritescode It's a universal issue between corporations it seems - in mine as well we have MITM proxy and more hoops, connecting to Azure AD and more. Tragedy. They DISABLED ssh for Azure repos, but keeps it enabled for on-prem bitbucket and gitlab... Changing workplace won't always work, all depends what's happening in life etc. I will definitely try to move to PATs, but they expire them little too aggresively, at least for Azure CI thingie.

@almostprofessionalrecords6651 Жыл бұрын

I used https and it stored my password somewhere, typed it only once months ago and it still works

@anthonywritescode Жыл бұрын

"somewhere" -- and the password that gives full access to your account?

@almostprofessionalrecords6651 Жыл бұрын

@@anthonywritescode `git config --get credential.helper` gives me `osxkeychain`. If something can read my password from there, then I guess it can also read my private ssh keys. What is the difference?

Жыл бұрын

You can also save your password in a file that's r/w for your user only. 🤷‍♂️ And never type your password again 🤷‍♂️

@anthonywritescode Жыл бұрын

ssh keys don't give full access to your entire account

Жыл бұрын

@@anthonywritescode you don't have to use a password in the credential, API key with push access only also works