New personal access tokens

I have been using GitHub with my students in college and post graduation.
The fact is that I share code and ask for assignments to be delivered all by GitHub.
But now GitHub asked me to create a “personal access tokens” to be used instead of my password. I save the provided key in a local text file because nobody can know it by hart, this is the first big security issue!
The thing is, by Eclipse UI or git command line I need to copy and past the key, and so, my students will see my key and moreover it is recorded on video too!!!

I really prefer to use the standard password to work in my classes.

My workaround now is to do not user Github!

Any suggestion??

Never save the PAT on a file!
PAT’s are not meant to be remembered by heart; rather, you shall configure your Git to save the PAT internally using the credentials store so that you won’t be prompted the next time.

The perks of using a PAT is that you are warmly encouraged to create a PAT for each single Git endpoint you make use of. If an endpoint of yours (e.g., your laptop) gets somehow compromised, your password will stay still safe and you can simply drop that particular “broken” PAT. PAT can be also used for one-off operations and disposed immediately afterward.

Importantly, you can tune the permissions of a PAT to match your needs.

As a result, PAT’s are much much safer than plain passwords. That’s why GitHub – like other services – has made such a transition mandatory.

2 Likes

Thanks for your help :slight_smile: , I just did (fixed…):

 git config --global credential.helper XXXXXXXXXXXXX

where XXXXXXXX is the token (PET) provided by GitHub!!!

When I try to pull the repo I get:

$ git pull
Username for 'https://github.com': mygituser
Password for 'https://mygituser@github.com': 
remote: Support for password authentication was removed on August 13, 2021. Please use a personal access token instead.
remote: Please see https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/ for more information.
fatal: unable to access 'https://github.com/myuser/myrepo.git/': The requested URL returned error: 403

I read this thing here: Creating a personal access token - GitHub Docs

And they say:

…on the command line you would enter the following:

$ git clone https://github.com/username/repo.git
Username: your_username
Password: your_token

The documentation say to use the token (PAT), inappropriately saved in a local text file, as password!!! :face_vomiting:

Perhaps I am missing something! The fact is that my password do not work with git command at Linux Bash anymore, but the token (PAT) provided by GitHub works as password to update my projects.

My bad!

The appropriate way to set the PET token is:

git config --global credential.helper XXXXXXXXXXXXX

Where XXXXXXXX is the PET token

But GitHub keeps the PET token as plain text in a file anyway…

$ git config --global --list
user.email=myemail@gmail.com
user.name=Daniel Carvalho
push.default=simple
credential.helper=XXXXXXXXXXXXXXXXXXXXXXX

I think the documentation can do better!!

Hi @danielscarvalho

The proper way of using the credentials helper is summarized at vvv-school.github.io/how-to-setup-vvv-school.md at master · vvv-school/vvv-school.github.io · GitHub.

Therefore, the following is not quite right:

git config --global credential.helper XXXXXXXXXXXXX

Once you have set up the credentials helper, at the subsequent push/pull operation you’ll be prompted to provide the PAT, which in turn will get stored and no longer asked.

Hope this helps out.

1 Like

The mandatory “upgrade” is terrible for many students, specifically lower-income students who don’t own a laptop. I think most of us using 1-2 computers have likely been using SSH keys for years anyway and are virtually unaffected by the change. A student who works from multiple machines each day (2-3 different class seats per classroom, and several preferred seats in the computer lab) is going to get really good at the process of setting up tokens. In the meantime, they will resist using GitHub as much as possible.

2 Likes

That is true! Students are asking me to accept assessments by Moodle or by e-mail, as in the past!

They have different labs in different rooms, sit in different computers… they give up for PET.

A student asked me how to upload and expand a ZIP by GitHub web interface! :-o

Worst case, they save the PAT at a file in the college network in order to access in different computers!!!

My hunch is that if we make the effort to teach Git or more in general how to use IT tools, then it’s the right moment to underscore how important IT security is.

That said, GH is trying to provide a VSCode extension to abstract out the Git’s gut. Perhaps, some OAuth-like stuff could be integrated into that platform that would save students from dealing with PAT directly.

Thus, you may want to make your voice heard and reach out to the GH support team.

1 Like

I fail to see how it is more secure, unless security by obscurity is now considered valid.

“We don’t allow username/password to run commands. It’s not secure.”

“So, how do we connect?”

“Use PATs”

“How do I get those?”

“Login to GitHub.com with your username/password and make as many as you like”

“ugh”

1 Like

A PAT has by design much more entropy than the passwords users generally come up with. Not a thing to disregard.

When a user logs in, he provides the password to GitHub through the browser and, in the worst case, to any malicious extension, plugin, or whatever keylogger is lurking beneath. Thus, it’s a good rule to enable 2FA as well.

This may happen with and without PAT.

What doesn’t happen with a PAT is that when the user provides it to whatever client or app, the latter cannot break into GitHub to gain control of the whole account. With a password instead, this can happen.

1 Like

Your final paragraph is point well taken. Thank you.

1 Like

A student of mine yesterday made it pretty clear that they intend to use file drag-and-drop because working with tokens, etc was overwhelming them. I really wish GitHub would allow organizations (i.e. classrooms) to control whether username/password is allowed for its repositories, much in the same way an organization owner can require 2FA. For people that I’m trying to convince to use the tool, I need a low bar.

1 Like

An alternative is the use of an IDE that supports OAuth authentication. We have tested IntelliJ Idea and it works properly (it is necessary to allow OAuth access from the GitHub Settings).

2 Likes

VSCode is perfect for OAuth as well, but if it’s used on a shared machine, then the user is required to log into GitHub anyway and to remember to log out.

I’m afraid this is not very practical for school computers that are shared among students.

1 Like

This new feature in github is making github classroom less convenient for our students, and it isn’t more secure. Our students use multiple computers (in the lab and at home), and in the lab, each time they may use a different computer. Using git config --global with a store stores the PAT in plaintext in a file on the machine. With a cache, the PAT is much more secure for git, but it’s only for a certain time period, and goes away when the computer is restarted (e.g. when they log out – the lab does this). so our students are mailing themselves PATs, or creating new PATs every time they need to use git, and storing them in text files. It’s a major nuisance.

1 Like

GitHub should think global! Usually, USA students carry their own notebook to classes, it is ok to work with PAT this way.

But in Brazil and other countries, students use labs desktops to work in different rooms and buildings at college. Some students keep their own notebooks, of course, but it is not safe.

I ask students to send me the GitHub link for all their assignments, with PAT on different computers it can be a risk. Now there are PETs spread at college computers.

© 2017 GitHub, Inc.
with by
GitHub Education