If I interact with Github over SSH using the git account, how does it know which files to let me access?
Is it possible on the server to detect which specific key in the authorized_keys file was used to authenticate a user? My understanding of SSH is that once my key is authenticated, I'm logged in as the git user and should have access to everything that user account has access to.
Update:
I figured gitosis had to be doing something similar in nature and so I checked out the source. As ephemient says, associating a command with a public key seems like the way to go. You can set it up so that the command receives the user's name as an argument and figure out permissions based on that.
Of course I do not know what github does but https://wincent.com/wiki/Git_repository_access_control explains the how.
Related
I have run ssh -T git#github.com to check my connection SSH connection, and I got the following result -
Hi e***! You've successfully authenticated, but GitHub does not provide shell access.
Now, this is not my GitHub user and I don't know how to change it.
To work with ssh or any asymmetric key encryption protocols, you should get a grasp of the concept of how public and private key pair works. Only until then, what I will say below makes sense:
The command ssh -T git#github.com shows the user who has added your public key to their account. What this command does is it sends your public key to Github's server, GitHub then tries to verify if you are actually the owner of this public key (by testing your private key with some encrypted data). If so, it finds the account in its database that associates with this public key and returns the result that you're seeing on the screen.
Should you be worried? No, because your public key is supposed to be public, and anyone could grab your key and unintentionally add that to their GitHub account. Other than you can access their GitHub's private repositories, they can do nothing to your computer or your GitHub account.
If you still have read and write access to your GitHub's repositories (e.g., git clone or git push), there's nothing else to do.
Edit:
If you've already added your public key to your GitHub account and ssh -T git#github.com still outputs their GitHub's account name, I think it's because GitHub finds their account first and return that right away.
I am a hardware guy first and software second so GitHub is not my forte.
I had Altium Designer setup with my GitHub server for version control. When GitHub forced 2FA recently it broke the link to Altium which, unfortunately doesn't have stellar GitHub integration.
There are 6 fields I am allowed to enter in Altium to point it to my (GitHub) server:
1.) Method (HTTP, HTTPS, file, svn)
2.) Server (URL)
3.) Port
4.) Repo Subfolder
5.) username
6.) Password
Again, nothing changed except moving to 2FA. Now, when I attempt to login it obviously says it could not connect to the server because Altium has no provisions to provide a token during the login process.
I read the article at GitHub here: https://docs.github.com/en/free-pro-team#latest/github/authenticating-to-github/using-ssh-over-the-https-port
But I have no idea if that will do anything for me. Is there a way to route my Altium server connection to use my SSH key outside of the Altium environment? Or perhaps another way to "whitelist" my desktop in GitHub for SSO?
GitHub has not forced 2FA on for users. That wouldn't be useful, because people could just not set up a second factor. It's possible your organization has required this, though.
However, GitHub is deprecating the use of a plain password when using Git over HTTPS in favor of a token. Using a plain password was already forbidden for users who use 2FA, since there's no place to send a 2FA code (and for automated systems, doing that would be very inconvenient).
In this case, it's easy to keep using HTTPS: just generate a personal access token (in the developer settings) with the repo scope and paste it into the password field. Git doesn't know the difference between a password and a token; they're both the same to it. This also has a bunch of other benefits:
If you change your password, the token isn't automatically cleaned up, so you don't have to change Altium Designer.
If you decide you want to revoke that token, you can do so independently of changing your password.
If you're using SSO, you need to enable that token for SSO using the drop-down before it can be used to access protected resources.
I can ask this question in many ways, like
How to configure Jenkins credentials with Github Personal Access Token
How to clone Github repo in Jenkins using Github Personal Access Token
So this is the problem
The alternate solution that I am aware of
SSH connection
username password configuration in Jenkins. However,
use of a password with the GitHub API is now deprecated.
But My question is how to setup Github connection with Jenkins using Personal Access Token
[UPDATE]
The new solution proposed by git is
https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/
Which says:
Beginning August 13, 2021, we will no longer accept account passwords
when authenticating Git operations and will require the use of
token-based authentication, such as a personal access token (for
developers) or an OAuth or GitHub App installation token (for
integrators) for all authenticated Git operations on GitHub.com. You
may also continue using SSH keys where you prefer.
What you need to do:
https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/#what-you-need-to-do-today
Basically, change the add URL as
https://<access token>#github.com/<userName>/<repository>.git
Something like this
https://<access token>#github.com/dupinder/NgnixDockerizedDevEnv.git
and set the credentials to none.
Thanks to #Gil Stal
[OLD Technique]
After many discussion on multiple threads from Stackoverflow
I found one thread that is useful.
Refer to this answer:
https://stackoverflow.com/a/61104603/5108695
Basically
Personal access token can be used as a password, as far as Jenkins is concerned at least. I added new credentials to the credential manager.
Go to Jenkins
Go to credentials > System > Global credentials > Add credentials a page will open.
In Kind drop-down select Username and password.
In User put a non-existing username like jenkins-user or user.
Add Personal Access Token in the password field
Now start configuring your project.
source code management tab, select new configured credentials from Drop-down near credential Under Repository URL
So this is how we can configure or setup Authentication between Jenkins and Github using Personal Access Token
References:
Git Clone in Jenkins with Personal Access Token idles forever
Change jenkins pipeline to use github instead of gitlab
The accepted answer wont work anymore because of this: https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations.
You will need to:
Change the URL of the repo to: https://<access token>#github.com/<user-name>/<repo-name>.git (Replace every <...> with the real parameters)
Set the credentials to none.
As of August 2021 the answer posted by Dupinder Singh is accurate. The only thing I would add is that if you are part of a team, the url format appears to be a bit different. This is what worked for me:
https://<access token>#github.com/<team>/<repo>.git
for example
https://ghp_6dh3jdk394jsmbh299jjdg20fh87hd83ksk39#github.com/MyKuleTeam/KuleGuyCode.git
Note that if you use a personal access token you don't need to have any github credentials stored in jenkins.
As for credentials for Jenkins Github Plugin, please be aware only Personal access tokens are now accepted by this plugin.
To generate such a token, follow the Github docs (e.g. here). Don't save it, it can be regenerated in Github and updated in Jenkins if lost or when migrating to a different server.
To add the token do Jenkins credentials store, go to <JENKINS_URL:PORT>/credentials/store/system/domain/_/newCredentials and select Kind "Secret text" (not the default "Username and password"), then paste the token as Secret and choose some ID.
Testing: the credential should appear on the list of Credentials at <JENKINS_URL:PORT>/credentials/ and be selectable from the drop-down list at <JENKINS_URL:PORT>/configure/, where pressing the "Test connection" button should display "Credentials verified for user <GITHUB_USER>".
More info: see the Github plugin docs.
Caveats: Git Plugin has its long-standing issues, so if the newly created "Secret text" does not appear in your pipelines, try if this solution helps (with "the user who triggered the build" considered safer than "SYSTEM"):
client-and-managed-masters/why-credentials-are-not-listed-in-the-git-scm-section
There is (yet another) way to do this as of 2020/04 which is supposed to be superior to personal access tokens. The best part is that you can continue using a username/password-style credential, and the plugin will handle authenticating with GitHub in the background.
Benefits include:
Larger rate limits - The rate limit for a GitHub app scales with your organization size, whereas a user based token has a limit of 5000 regardless of how many repositories you have.
User-independent authentication - Each GitHub app has its own user-independent authentication. No more need for 'bot' users or figuring out who should be the owner of 2FA or OAuth tokens.
Improved security and tighter permissions - GitHub Apps offer much finer-grained permissions compared to a service user and its personal access tokens. This lets the Jenkins GitHub app require a much smaller set of privileges to run properly.
Access to GitHub Checks API - GitHub Apps can access the the GitHub Checks API to create check runs and check suites from Jenkins jobs and provide detailed feedback on commits as well as code annotation
Links:
https://www.jenkins.io/blog/2020/04/16/github-app-authentication/
https://github.com/jenkinsci/github-branch-source-plugin/blob/master/docs/github-app.adoc
Since we've turned off passwords for security purposes, I was hoping there was a script or some other way to automatically add WHM authorized keys to account level ssh public keys and have them automatically authorized.
You muste be to create a script post create acct (/scripts/postwwwacct example) or standarized script. See more on https://documentation.cpanel.net/display/SDK/Guide+to+Standardized+Hooks+-+Script+Hooks
I need to develop a bunch of my own web hooks (or services maybe) for auto deploy, report into project management systems, etc.
But data posted to web hook don't have much information to fill my needs.
For example, I've received simple push event, how can I know is it force push or not? Okay, I have 2 treeishes, let's look at repository and check this push — oops, need user token to do it. Sad.
What is the right method to access gitlab api from web hooks? Probably I've missed something important? I'm really confused.
Upd1:
Let's try to find a solution. Possibilities
Imagine we can have a user who can read all projects in gitlab. But
that user should be connected to each project to have an access. Ok
;-(
What about to read repo by pusher? We can't because we need to use his private token to do this.
Maybe some internal functionality to read all repos or something? Sure not.
So. Maybe database? Nope. Because we need to clone repo at first and can't save data in DB anyway with refreshing caches.
I think we need a security token and maybe many checkboxes with access permissions for each joined web hook or an app (service).
Please feel free to share your ideas.
I've remembered partial solution. So scenario will be like that:
Create web service with your web hook.
Create a ssh key on the same host for some special (usually owner of web hook service) user to have an access to repos.
Add ssh key created at previous step as deploy key.
Finally: Register your webhook and add your deploy key for that hook to project — repeat it for each project what need this hook.
You have event listener (your web hook service), and you have access to that repository (ssh/git).
But still that solution doesn't have access to API itself.
Probably, there is also an another solution.
Create custom admin user with a big random password and some synthetic name like HookBot or something, remember private_token of that user;
Register your web hook;
Use api access to add your deploy key with HookBot (untested);
Use sudo api to get sources or something else. Just mimicry to pusher's account (sudo -u {author_id}) and go on, read repo, work with it, etc.
Maybe some another solutions? More legit?