Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Wait. You mean they seriously did cut off SSH keys for terminal access in favor of PAT?
I think it's just an alternative to SSH keys... -
olback109813yBut every time you authenticated with a password you'd see a message saying exactly this, no? I've been using ssh keys for years and not worrying about passwords at all.
-
C0D4681383ythey removed password access, the fact your not using a PAT or better yet SSH keys is concerning.
-
C0D4681383y@killames they'll need
1) your password - which should be random bullshit and long + changed frequently
and
2) your 2nd factor device - phone / Authenticator, and it's password to gain access directly - no Google Authenticator is not a fucking good solution.
For brute cli attacks, a password of 8 characters is going to be child's play to defeat vs a a PAT which is what 30 odd characters or so.
SSH relies on you the private key holder to store it somewhere 1) ENCRYPTED and 2) only back it up in a secure location.
Ultimately, this would require kidnapping you, cutting your thumb off and stealing your phone, having a shitty password for your password manager and... then reusing that same shitty password for your 2FA / authenticator and... well being fucking important enough to warrant going to this extent to hijack a fucking repo - otherwise for the average joe, this is suffice to get along in life. -
@killames Both the SSH key and the PAT "only" have access to your repositories - nothing else¹.
Both can't create issues, delete the account, change the password...
And the PAT (or formerly the password) was commonly stored in git urls or in plaintext on computer, drastically reducing the consequence of a compromised computer (assuming only short time compromise).
¹Assuming one doesn't create a PAT with every possible permission selected. But that would hardly be Github's fault... -
Password author was a problem because you used a token in the terminal and very often in scripts, which is capable of changing itself and has no higher level token to reset / revoke it. In the worst case, the PAT can do pretty much everything other than change the password, so you retain control over your account. This is important because Github is now an OAuth2 provider and thus the importance of a GH account is unbounded.
-
so.
now with the ssh key setup
whoever accesses my comp can do whatever they want
no password challenge
they can just go ahead and push shit to the repo.
that is very stupid.
you know how easy it is to get into a linux comp if its physically in your posession ?
it just involves forcing singleuser mode.
key point is there is no good security for every scenario. -
killames5733y@sbiewald so I set this up and I still see ways of getting in with physical access
Including replacing the program that prompts you for your pass phrase and simply gaining single user and changing the password of the user -
@killames Anything that isn't encrypted is necessarily vulnerable if you have hardware access. That's why you protect ssh keys with passwords.
-
@lbfalvy seems like he was saying that you could do a honeypot on the process that protects the ssh key with a minimal preparation and physical hardware access.
-
@AvatarOfKaine A password protected ssh key is an ssh key encrypted with a password.
FUCK YOU GITHUB AND YOUR MASTER SLAVE BLEEDING FUCKING HEART SPINELESS FUCKING HYPERSENSTIVE BULLSHIT TO BEGIN WITH !!! NOW FUCK YOU FOR REMOVING SHELL AUTHENTICATION AND GIVING ME A GODDAMN OTHER THING TO ANNOY ME !
rant