don't git clone over https! (beginner) anthony explains

Рет қаралды 24,124

Күн бұрын

Пікірлер: 46

@hamzasayyid8152 2 жыл бұрын

I'm not really tech savvy, but I don't have to sign in everytime using https. Must have stored the username and password somewhere. Although, these days I use the github cli, so I don't know if that matters

@OrCarmi 2 жыл бұрын

Thanks for this. Would you recommend ssh keys over api tokens as well?

@Jason-jb1tf 2 жыл бұрын

As a security engineer, I would recommend ssh keys over PATs in nearly every case. GitHub did release finer scoped PATs recently, which reduces some of the risk of PATs, but ssh keys are ideal for pushing/pulling IMO since they can't be used to authenticate you to other parts of GitHub if stolen - they can only be used for pushing and pulling.

@OrCarmi 2 жыл бұрын

@user-lg8ev3yb5w thanks for the explanation!

@xscorp382 2 жыл бұрын

Git also provides using access tokens instead. So if you don't wanna use your password to git, you can use that access token in place of your password. And what is better is that you can confine the access rights for that token. So even if somebody steals your access token, he would only be able to do things that the access token was allowed you do while compromise of SSH keys might lead to havoc.

@anthonywritescode 2 жыл бұрын

access tokens give more power than ssh tokens. also you're specifically talking about github

@michalroesler Жыл бұрын

That tutorial worked for me. It's awesome and very professional.

@MartinFiala-vw6pd 8 ай бұрын

Short and working. Great stuff! Thanks.

@drz1 2 жыл бұрын

Newbie question here about encryption, so since you gave GitHub your public key, does that mean that they can publicly share that repo encrypted with your public key and since you have the private key you're the only one who can decrypt that information? What about the reverse to push? Is my understanding correct that GitHub would authenticate you when you successfully decrypt the first message sent you encrypted with your public key, hence permitting you to do pushes in the session?

@anthonywritescode 2 жыл бұрын

it's soooorta like that -- though usually the public / private key part is only used at the beginning -- then a symmetric key is agreed upon and used from there on

@drz1 2 жыл бұрын

@@anthonywritescode makes total sense, thank you!

@mrswats 2 жыл бұрын

Oookay, time to rotate my ssh keys. Would you recommend storing ssh key pairs in a password manager?

@anthonywritescode 2 жыл бұрын

you probably could! I currently don't but maybe I should

2 жыл бұрын

I think you should. I use KeePass + KeeAgent for that.

@almostprofessionalrecords6651 2 жыл бұрын

I used https and it stored my password somewhere, typed it only once months ago and it still works

@anthonywritescode 2 жыл бұрын

"somewhere" -- and the password that gives full access to your account?

@almostprofessionalrecords6651 2 жыл бұрын

@@anthonywritescode `git config --get credential.helper` gives me `osxkeychain`. If something can read my password from there, then I guess it can also read my private ssh keys. What is the difference?

2 жыл бұрын

You can also save your password in a file that's r/w for your user only. 🤷‍♂️ And never type your password again 🤷‍♂️

@anthonywritescode 2 жыл бұрын

ssh keys don't give full access to your entire account

2 жыл бұрын

@@anthonywritescode you don't have to use a password in the credential, API key with push access only also works

@dp3455 4 күн бұрын

why no passphrase is asked when repository is cloned?

@anthonywritescode 3 күн бұрын

because the ssh key has already been unlocked when added to the ssh agent

@FresosSoapbox 4 ай бұрын

I guess I’m above “beginner” level, but I always `clone` and `fetch` over (anonymous) HTTPS (for public repositories) - but then set up different push URLs (`git remote set-url --push`) for things that I have access to, so pushes _will_ go through SSH.

@hemanth8169 6 ай бұрын

Thank you! This was very helpful for me.

@VijayJaisankar 2 жыл бұрын

Thanks for this video! It not HTTPS, how would we clone a repo into a docker container?

@anthonywritescode 2 жыл бұрын

in readonly scenarios https is fine, this is more about doing work on things

@VijayJaisankar 2 жыл бұрын

@@anthonywritescode Awesome, thanks for the clarification :)

@benh8657 3 ай бұрын

Well that worked easily enough. Thank you!

@guntbert9709 2 жыл бұрын

I've been using ssh keys for a Very Long Time™ but never thought of using a naked ssh-add ;-)

@kabirkumar5815 5 ай бұрын

Cant you just do gh auth?

@Phaust94 2 жыл бұрын

Good luck doing that on Windows as a beginner :)

@anthonywritescode 2 жыл бұрын

I had someone in my chat verify that the same commands work on windows (I also checked there)

@Phaust94 2 жыл бұрын

I mean, there's too much jumping through the hoops to install the ssh client on Windows, to my taste. At least it's not git-secret though.

@anthonywritescode 2 жыл бұрын

ssh is available out of the box on modern windows

@Phaust94 2 жыл бұрын

Really? I remember the good ol days of installing Putty and whatnot to make it work. I guess I'm that old. Good to know :)

@fabtjar Жыл бұрын

I hardly use windows and the same commands work fine for me

@santidelgado8088 6 ай бұрын

thanks man I lov u

@Daloshka 8 ай бұрын

nice explaining

@evadeflow 2 жыл бұрын

I wish I could take your advice-which I agree with-but my corporate overlords have a strict, MITM authenticating HTTP proxy between us employees and the Interwebs, so… cloning via HTTPS is the only option. I’m guessing that’s why GitHub suggests the HTTPS url by default: if you’re able to view the page at all, HTTPS will Just Work™, whereas SSH might not for unlucky folks like me. 🫤

@anthonywritescode 2 жыл бұрын

sounds like it's time to find a new job lmao

@Tobinsvids 2 жыл бұрын

Or use a Personal Access Token (PAT) and give it the permissions you want it to have

@evadeflow 2 жыл бұрын

@@Tobinsvids: Oh-I _do_ use a PAT when cloning one of ‘my’ repos via HTTPS. (IIRC, this is _required_ now because GitHub no longer allows password authentication.)

@d3stinYwOw 2 жыл бұрын

@@anthonywritescode It's a universal issue between corporations it seems - in mine as well we have MITM proxy and more hoops, connecting to Azure AD and more. Tragedy. They DISABLED ssh for Azure repos, but keeps it enabled for on-prem bitbucket and gitlab... Changing workplace won't always work, all depends what's happening in life etc. I will definitely try to move to PATs, but they expire them little too aggresively, at least for Azure CI thingie.