Contents
Summary
On July 15, 2021, Cornell’s GitHub Enterprise service was updated for enhanced security using Cornell’s Two-Step login. This means that any users previously able to authenticate any Git client with their NetId are no longer able to do so.
If you need assistance, please submit a ticket to the ITSG Help Desk.
Background
As of July 13, 2021, we are no longer accept account passwords when authenticating Git operations and will require the use of token-based authentication, such as a personal access token (for developers) or an OAuth or GitHub App installation token (for integrators) for all authenticated Git operations on github.coecis.cornell.edu. You may also continue using SSH keys where you prefer.
Tokens offer a number of security benefits over password-based authentication:
- Unique – tokens are specific to GitHub and can be generated per use or per device
- Revocable – tokens can can be individually revoked at any time without needing to update unaffected credentials
- Limited – tokens can be narrowly scoped to allow only the access necessary for the use case
- Random – tokens are not subject to the types of dictionary or brute force attempts that simpler passwords that you need to remember or enter regularly might be
Workflows affected
- Command line Git access over HTTPS
- Desktop applications using Git (GitHub Desktop is unaffected)
- Any apps/services that access Git repositories directly using your Cornell NetID and password
Command line Git access over HTTPS
Many people have historically cloned a repository to their computer using HTTPS and the standard command-line tool ‘git’ or another git client. For those users, they were prompted to enter their Cornell username and password during the git operations.
This functionality will no longer work and you will need to change how you interact between your local and remote Git repository.
You must transition to using a Personal Access Token or to using SSH keys.
Using Personal Access Tokens
Any method of working with Github that previously used a username and password can be done using these Personal Access Token instructions.
GitHub now supports Fine-Grained Personal Access Tokens! These help secure your account in shared environments.
You can create a fine-grained personal access token which will provide extremely well-targeted access (down to specific repositories and behaviors). We recommend using fine-grained personal access tokens when using your GitHub account on communal environments such as shared servers or workstations. Of course, when working from your own machine the “classic” personal access token will usually be sufficient.
In order to use your newly created token, use your NetId as the username but when prompted for your password, you would enter your Personal Access Token. This will be required every time an operation must reach out to the server, and so you’ll want a method for keeping your personal access tokens secure.
Using SSH Keys
Working with Github using SSH keys to push and pull code will be unaffected by these changes. While they lack automatic expiration and permission customizations, you can read GitHub’s documentation about SSH key authentication.
In short, check to see if you already have an SSH key. If you don’t, generate one. Once you have a SSH key, add it into your Github Enterprise settings.
Then when you clone a repository on your computer, just make sure you clone it over SSH and all git interactions will take place using the SSH key authentication.
If you have any existing repositories configured to use HTTPS, it’s relatively easy to configure them to use SSH.
Git Clients
- Many users already use Github Desktop to interact with the Github server. No changes are needed if you are using Github Desktop.
- Github CLI is a command line Git client. It brings pull requests, issues, and other GitHub concepts to the terminal next to where you are already working with git and your code.