GitHub Personal Access Token

This is a question for developers. GitHub are about to enforce use of personal access tokens which is, in effect a long (40 character) random password. I find using this to be more awkward and prone to security risk due to the need to keep the token in a document rather than my head. (I can remember a complex password but not 40 random characters - I am not Deep Though!)

My question is: do you have advice on a workflow for using github from the Linux/GNU (BASH) command line using PAT?

I totally agree that long random tokens are almost impossible to remember, whereas one can produce long passphrases that can be memorized easily and are secure (just because of enough length).

I try to make a few suggestions that might or might not work depending on your workflow and against what you want to protect.

• Tool pass: https://www.cloudsavvyit.com/8817/how-to-use-pass-a-command-line-password-manager-for-linux-systems/ - builds upon your GPG key and is a command line style password manager. That means you could protect your PAT or many of them with your PW and the PATs would be stored encrypted on your disk. However, basic usage would require an additional bash command to retrieve the PAT in unencrypted form (can be copied to clipboard with an auto-clear feature).
• Git built-in credential store: https://stackoverflow.com/questions/5343068/is-there-a-way-to-cache-https-credentials-for-pushing-commits/18362082#18362082 Depends on whether the one of the integrated ones is fine for you (I read something about Gnome keyring) or you add the method mentioned in the linked answer. Basically, seems to add a GPG encrypted netrc file to store your passwords/tokens. But I have not tried this approach.

Hope this helps as a starting point or feel free to give us some details about what you want to protect against and other specific requirements.

Regarding the credential stores of Github, I also found a reference to * Git Credential Manager Core (GCM Core)*, for instance here: https://stackoverflow.com/questions/46645843/where-to-store-the-personal-access-token-from-github They say that Linux support is not fully finished but that was 2018 and the readme now mentions that for terminal usage should support everything under Linux. The most suitable backend would probably be pass. Compared to using pass stand-alone, this should safe you the additional command and clipboard transfer of your PAT. Unfortunately, I am not at home now so that I could try it out.

Sorry @riban!

Perhaps i’m not understanding you, but … why not using SSH access? I do it all the time and never have a problem nor have to write a password (In fact, it doesn’t looks very different than using PATs)

My privates key are always on my computer, and i can choose to store them encrypted or as plain text, depending my level of trust on the given computer.

For instance, as i always use encrypted partitions for my personal data, i normally leave private keys unencrypted, so i only need to write my password when login.

If i’m using a 3rd person’s (or untrusted) computer, i always encrypt my private keys with good passwords.

Regards,

I am currently specifically taking about developing on Zynthian where there isn’t a desktop like gnome and Zynthian git repos are https on the Zynthian image so SSH isn’t an option.

I change the git remote to include the access token.

git remote set-url origin https://<user>:<token>@github.com/<repo>

The password is stored in plaintext so it’s not super secure.

You can use it to change the origin to ssh too if you like.

Using ssh-agent bash you can add private keys to the agent with ssh-add <key name>

Does normal update process work after changing to ssh, i.e. if I change zynthian-ui to use ssh then run an update from the UI will it work? After adding private key to Zynthian would that just work?

I am quite miffed that an attempt to make things more secure will result in may people’s workflows being less secure, e.g. passwords in plain text.

I don’t see why not. git fetch and git pull Work exactly the same. I’d need to review the script to see if it does any git clones becaus they would need changing.

Oh, setting up the key would need some work I think.

You can have more than one remote too though. Zynthian update could use origin while you could set up a second remote to do pushes with ssh. git push ssh-remote or something. I

I had to resolve this to fix an issue and create a pull request today. These are the steps I took:

• ssh into Zynthian
• ssh-keygen -t ed25519 -C "user@email.address"
  • accept default file path
  • enter empty passphrase (to avoid being asked for it each time you pull or commit)
• cat /root/.ssh/id_ed25519.pub
• Copy printed text to copy buffer (highlight and right click on my OS)
• Point web browser at Add new SSH keys (github.com) (login if necessary)
• Add a title (I used zynthian) and paste the ssh text into the key field then click Add SSH Key
• In zynthian ssh session, change to each zynthian repository directory and enter git remote set-url origin git@github.com:zynthian/<repo name>, e.g.

cd /zynthian/zynthian-webconf
git remote set-url origin git@github.com:zynthian/zynthian-webconf.git

A problem (yet to be resolve) is that the passphrase is requested for git pull commands which stops updates working. Anyone know how to fix that?

[Edit] The code block to set all the repos:

cd /zynthian/zynthian-webconf
git remote set-url origin git@github.com:zynthian/zynthian-webconf.git
cd /zynthian/zynthian-ui
git remote set-url origin git@github.com:zynthian/zynthian-ui.git
cd /zynthian/zynthian-sys
git remote set-url origin git@github.com:zynthian/zynthian-sys.git
cd /zynthian/zynthian-data
git remote set-url origin git@github.com:zynthian/zynthian-data.git