Github will require token authentication.

[Alain De Vos]

What's wrong with a simple password ?
I don't put secrets on github in fact just the opposite of secrets ...
And will their new authentication protect my privacy ?
Don't you give information about yourself by authenticating ?
[Linked databases ...]

 

[rorgoroth]

I just set up ssh for it which was very quick and easy, works fine. Just an added/better layer of security to keep accounts safe. I've not had to give away any more information about myself than before now I'm using ssh auth.

 

[Jose]

Are you referring to this?

Token authentication requirements for Git operations

Beginning August 13th, 2021, we will no longer accept account passwords when authenticating Git operations on GitHub.com.

github.blog

1. Old news
2. It's only for Git operations
3. Please explain how an ssh key compromises your privacy

 

[Alain De Vos]

Jose,
3. I guess your answer in the question.
I'm not a Guru so I can ask simple and wrong questions

 

[mer]

Anyplace online that has your email and a password is a potential attack vector, mostly because most folks don't use unique passwords for every place they visit.
In the past, github, spotify, pandora, etc have been compromised on their servers and have had emails and passwords stolen. If you use that same password and email combination for your banking website, there is a potential for bad things happening.
The businesses are not going to tell you they've been breached, heck they may not know for months, then it'll be another 6 months before they tell you.
This is no different than someplace wanting you to use 2 factor authentication.

 

[Alain De Vos]

Example. When i login into my jails using ssh i use a token and not a password.
I suppose this is the same method github is wanting.

 

[mer]

Example. When i login into my jails using ssh i use a token and not a password.
I suppose this is the same method github is wanting.

Yes, it sounds like one of the methods they want/offer.

 

[Deleted member 30996]

I recently joined Github. I typed in my name, a password, email box and have already set up my Profile.

I plan to point out unethical practices inconsistent with how someone doing business from their account represents themselves. I'd rather not, but said I would and have been ignored. That's not a good thing, but he isn't concerned.

 

[tingo]

It is slightly inconvenient to have to create a ssh key for _every_ machine that I use to access github.

 

[mer]

Is it really every machine or every "identity"?
Basically, you create a single public key/private key pair, push the public key to github, then use the same private key from each machine you use to access github. I'm not saying this is smart or best practices, just pointing out it could be done.

Kind of like using the same private/public GPG key pair on every machine you send email from. They link the email to a single identity, not a single machine.

Assuming one can use ssh-copy-id to push the public portion to github, it's not really a big deal having different keypairs for different machines, unless github is only going to allow a single keypair.

 

[Jose]

Github allows multiple public keys. I use one key per identity as Mer suggests, but I never reuse identities. I create a fresh new one for every new application. Public keys could be used for tracking very effectively if they are reused, but I suspect the pool of users that use public key authentication is so small that no one bothers.

 

[gotnull]

Github will require token authentication​

If that bothers you then escape to codeberg.org or notabug.org, problem solved ;-)

 

[Alain De Vos]

I already have an ssh token for github. But i was wondering if it would be an intrusion to my privacy. It seems not.

 

[tingo]

then use the same private key from each machine you use to access github.

Oh, you can do that. But - before you do that, have you thought about the security implications?
If you have just one key (the same key) on all your machines, and one machine gets compromised (broken into, secrets on it stolen) what happens then?
Then some unknown "bad guy" have the ssh key - the only ssh key you use for github access.
Aside from the parctical problem that you now need to re-provision all your other machines with a new key, you still have the fundamental issue that your key is compromised / in the hands of someone else than you, so how are you going to put a new key on Github?

 

[mer]

Oh, you can do that. But - before you do that, have you thought about the security implications?
If you have just one key (the same key) on all your machines, and one machine gets compromised (broken into, secrets on it stolen) what happens then?
Then some unknown "bad guy" have the ssh key - the only ssh key you use for github access.
Aside from the parctical problem that you now need to re-provision all your other machines with a new key, you still have the fundamental issue that your key is compromised / in the hands of someone else than you, so how are you going to put a new key on Github?

You really should have included my sentence that follows that:

I'm not saying this is smart or best practices, just pointing out it could be done.

So yes, I have thought about the security implications.

But like the rest of life security and "ease of use" are competing requirements and the individual has to decide for themselves.