Github Authentication

Summary

On July 15, 2021, Cornell’s Github Enterprise service will be updated for enhanced security. This change will mirror the upcoming change to token authentication on the main Github.com website. This change may impact some users depending on how they interact with Cornell’s Github Enterprise service.

If you use your Cornell netid and Cornell password for authentication during Git operations, you must switch to token-based authentication or SSH-based authentication.

Logging into the website interface will continue to work, albeit using Cornell’s Two-Step login.

If you need assistance, please submit a ticket to the COECIS Help Desk.

Background

Beginning July 13, 2021, we will no longer accept account passwords when authenticating Git operations and will require the use of token-based authentication, such as a personal access token (for developers) or an OAuth or GitHub App installation token (for integrators) for all authenticated Git operations on github.coecis.cornell.edu. You may also continue using SSH keys where you prefer.

Tokens offer a number of security benefits over password-based authentication:

  1. Unique – tokens are specific to GitHub and can be generated per use or per device
  2. Revocable – tokens can can be individually revoked at any time without needing to update unaffected credentials
  3. Limited – tokens can be narrowly scoped to allow only the access necessary for the use case
  4. Random – tokens are not subject to the types of dictionary or brute force attempts that simpler passwords that you need to remember or enter regularly might be

Workflows affected

  • Command line Git access over HTTPS
  • Desktop applications using Git (GitHub Desktop is unaffected)
  • Any apps/services that access Git repositories directly using your Cornell NetID and password

Command line Git access over HTTPS

Many people have historically cloned a repository to their computer using HTTPS and the standard command-line tool ‘git’ or another git client. For those users, they were prompted to enter their Cornell username and password during the git operations.

This functionality will no longer work and you will need to change how you interact between your local and remote Git repository.

You must transition to using a Personal Access Token or to using SSH keys.

Using Personal Access Tokens

Any method of working with Github that previously used a username and password can be done using these Personal Access Token instructions.

You would use the same username, but when prompted for your password, you would enter your Personal Access Token. If you’re worried about having to repeatedly re-enter your Personal Access Token, you can configure your Git client to cache your credentials.

Using SSH Keys

Working with Github using SSH keys to push and pull their code will work just like it did before. If you wish to switch to this method, you can read more about it in Github’s detailed documentation.

In short, check to see if you already have an SSH key. If you don’t, generate one. Once you have a SSH key, add it into your Github Enterprise settings.

Then when you clone a repository on your computer, just make sure you clone it over SSH and all git interactions will take place using the SSH key authentication.

If you have any existing repositories configured to use HTTPS, it’s relatively easy to configure them to use SSH.

Git Clients

  • Many users already use Github Desktop to interact with the Github server. No changes are needed if you are using Github Desktop.
  • Github CLI is a command line Git client. It brings pull requests, issues, and other GitHub concepts to the terminal next to where you are already working with git and your code.