GitHub authentication

[phajy]

Can anyone recommend good practice for securely authenticating with GitHub on the group's Linux system? I've looked at this article but the tools I use on my Mac are not installed (or I can't find) on the group's computers. Should I use a "personal access token" and if so, what's the safest way to do this? Thanks!

[fjebaker]

When you say authenticating with GitHub, do you mean authenticating over git (as in, so that push / pull works), or for the gh GitHub CLI?

[phajy]

Authenticating over git so that, e.g., git push origin main works. Not using gh because I don't think that is installed on the group's computers (but if it is [or is easy to install] we could use gh). Basically want @DariusMichienzi to be able to easily push changes to a GitHub repository from the group's computers.

[fjebaker]

Probably the most straight forward and secure way is to use an SSH keypair then. There's no limit to how many public keys you can upload to github, so it's probably best to generate a new keypair on typhon, and configure git to use SSH.

That basically means, run ssh-keygen -t ed25519 and follow the interactive prompt. This will create a new key in your ~/.ssh/ directory called id_ed25519 unless you chose something else during creation. Copy the one that ends in .pub and on github, under Settings -> SSH and GPG keys add a new SSH key and paste the .pub key in there.

To configure git to use the new ID, add somethign like this to your ~/.ssh/config file:

Host github.com
    IdentityFile ~/.ssh/id_ed25519 # change this to match your path (NB: without .pub this time)
    IdentitiesOnly yes

Then, on all of your cloned repos, use get remote -v to get the HTTPS url and change it to an SSH one. So in general, if you have a URL like

https://github.com/USER/REPO-NAME

it would become

[email protected]:USER/REPO-NAME

using the command

git remote set-url origin "[email protected]:USER/REPO-NAME"

Now you can push and pull from that repo securely.

As an aside, I have here a script for automatically converting HTTPS urls into SSH ones. Works on ZSH, should work on Bash, just add to your .zshrc or .bash_profile respectively. To use, navigate to the git clone and just do sshremote, where the first argument may optionally be which remote you want to update:

sshremote() {
    local remote="${1:-origin}"
    local url="$(git remote get-url $remote)"
    local alphanumeric="[a-zA-Z0-9\.]"

    if [[ "$url" =~ ^$alphanumeric+://$alphanumeric+/(.*)  ]]; then
        local ext="${match[1]}"
        local new="[email protected]:$ext"
        git remote set-url "$remote" "$new"
        echo "Updating $remote: '$url' -> '$new'"
    else
        echo "Malformed url: '$url'"
    fi
}

[phajy]

This works - thanks!