This is a question for developers. GitHub are about to enforce use of personal access tokens which is, in effect a long (40 character) random password. I find using this to be more awkward and prone to security risk due to the need to keep the token in a document rather than my head. (I can remember a complex password but not 40 random characters - I am not Deep Though!)
My question is: do you have advice on a workflow for using github from the Linux/GNU (BASH) command line using PAT?
I totally agree that long random tokens are almost impossible to remember, whereas one can produce long passphrases that can be memorized easily and are secure (just because of enough length).
I try to make a few suggestions that might or might not work depending on your workflow and against what you want to protect.
Tool pass: https://www.cloudsavvyit.com/8817/how-to-use-pass-a-command-line-password-manager-for-linux-systems/ - builds upon your GPG key and is a command line style password manager. That means you could protect your PAT or many of them with your PW and the PATs would be stored encrypted on your disk. However, basic usage would require an additional bash command to retrieve the PAT in unencrypted form (can be copied to clipboard with an auto-clear feature).
Regarding the credential stores of Github, I also found a reference to * Git Credential Manager Core (GCM Core)*, for instance here: https://stackoverflow.com/questions/46645843/where-to-store-the-personal-access-token-from-github They say that Linux support is not fully finished but that was 2018 and the readme now mentions that for terminal usage should support everything under Linux. The most suitable backend would probably be pass. Compared to using pass stand-alone, this should safe you the additional command and clipboard transfer of your PAT. Unfortunately, I am not at home now so that I could try it out.
Perhaps i’m not understanding you, but … why not using SSH access? I do it all the time and never have a problem nor have to write a password (In fact, it doesn’t looks very different than using PATs)
My privates key are always on my computer, and i can choose to store them encrypted or as plain text, depending my level of trust on the given computer.
For instance, as i always use encrypted partitions for my personal data, i normally leave private keys unencrypted, so i only need to write my password when login.
If i’m using a 3rd person’s (or untrusted) computer, i always encrypt my private keys with good passwords.
I am currently specifically taking about developing on Zynthian where there isn’t a desktop like gnome and Zynthian git repos are https on the Zynthian image so SSH isn’t an option.
Does normal update process work after changing to ssh, i.e. if I change zynthian-ui to use ssh then run an update from the UI will it work? After adding private key to Zynthian would that just work?
I am quite miffed that an attempt to make things more secure will result in may people’s workflows being less secure, e.g. passwords in plain text.
I don’t see why not. git fetch and git pull Work exactly the same. I’d need to review the script to see if it does any git clones becaus they would need changing.
Oh, setting up the key would need some work I think.
You can have more than one remote too though. Zynthian update could use origin while you could set up a second remote to do pushes with ssh. git push ssh-remote or something. I