Re: [OT] Upcoming Personal Access Tokens or Keys on github instructions make no sense to me
On Wed, 5 May 2021 11:57:02 -0500 Chris Bennett : > At the end of August, github will no longer accept passwords. > Months ago, I created a personal access token (PAT). > It then asks about a list of actions that are permitted. > I don't at all understand this list of permissions. OpenBSD doesn't rely on github
Re: [OT] Upcoming Personal Access Tokens or Keys on github instructions make no sense to me
On 2021/05/05 11:57, Chris Bennett wrote: > At the end of August, github will no longer accept passwords. > Months ago, I created a personal access token (PAT). > It then asks about a list of actions that are permitted. > I don't at all understand this list of permissions. > > At the time, none of it made any sense to me. > I couldn't find any instructions in the enormous amount of obtuse > documentation about this. So I didn't worry about it. > > Yesterday, I gave it a try again, getting another PAT. > I spent a few hours trying to get anything out of about 35 pages of > documentation that utterly fails to mention how to use it. > Another set of hours wasted. Ugh. > > I then tried the access keys for .ssh home folder. > This is for using SSH access. > I got two files: id_ed25519 and id_ed25519.pub > As per the instructions, I tried with these and they failed to work. > The troubleshooting pages for these are essentially worthless. > > So next I tried the community forums. > Besides the advice to read the above pages, I found one post saying to > use the PAT in place of the password. That also failed. It did not fail > for the user making the post. > > Tons of developers are using github, so there must be a simple answer, right? > Or is github full of users still using passwords for now? > > I just put up stuff on github that both I and other users will need to > access. > > I would deeply appreciate someone helping me with this. On or off-list. > > FWIW, I'm not willing to use 2FA over my phone. If my phone breaks and I > don't have the money to buy another one, no access. Text 2FA is not > secure. I also may go to Guatemala after this date. I will have to buy > another phone there to get any access. Maybe I'm shooting myself in the > foot over this or maybe Microsoft is doing it. > > If I can't figure this out, then I'll just use plain git on one of my > servers and drop using github. I'm good either way. > > Sorry for so much TL;DR; > > Chris Bennett > > Generate ssh keys your side. Go to https://github.com/settings/ssh/new, give it a title and paste in the contents of the .pub key. That is all that most people are doing for github. BTW you can do 2FA using the common TOTP protocol at the command line. oathtool -b --totp 'private_key' or echo 'private_key' > somefile cat somefile | oathtool -b --totp - or similar with an encrypt/decrypt stage added.
Re: [OT] Upcoming Personal Access Tokens or Keys on github instructions make no sense to me
Chris Bennett writes: > At the end of August, github will no longer accept passwords. > Months ago, I created a personal access token (PAT). > It then asks about a list of actions that are permitted. > I don't at all understand this list of permissions. > > At the time, none of it made any sense to me. > I couldn't find any instructions in the enormous amount of obtuse > documentation about this. So I didn't worry about it. > > Yesterday, I gave it a try again, getting another PAT. > I spent a few hours trying to get anything out of about 35 pages of > documentation that utterly fails to mention how to use it. > Another set of hours wasted. Ugh. > > I then tried the access keys for .ssh home folder. > This is for using SSH access. > I got two files: id_ed25519 and id_ed25519.pub > As per the instructions, I tried with these and they failed to work. > The troubleshooting pages for these are essentially worthless. > > So next I tried the community forums. > Besides the advice to read the above pages, I found one post saying to > use the PAT in place of the password. That also failed. It did not fail > for the user making the post. > > Tons of developers are using github, so there must be a simple answer, right? > Or is github full of users still using passwords for now? > > I just put up stuff on github that both I and other users will need to > access. > > I would deeply appreciate someone helping me with this. On or off-list. > > FWIW, I'm not willing to use 2FA over my phone. If my phone breaks and I > don't have the money to buy another one, no access. Text 2FA is not > secure. I also may go to Guatemala after this date. I will have to buy > another phone there to get any access. Maybe I'm shooting myself in the > foot over this or maybe Microsoft is doing it. I use phone + offline codes as a backup. I have yet to see a site that doesn't display the raw secret (base32 encoded usually) alongside the QR code. You can use any number of tools to produce the OTP: oathtool, gopass, pass (with pass-otp). I encrypt the secrets with age and use this script to decrypt / generate an OTP: https://github.com/qbit/dotconf/blob/master/bin/rage I can't speak to the PAT stuff. Do you have a link where github is talking about all this github-not-taking-passwords stuff? > > If I can't figure this out, then I'll just use plain git on one of my > servers and drop using github. I'm good either way. > > Sorry for so much TL;DR; > > Chris Bennett