11

I'd like to know what is the best way to connect to a GitHub repository between HTTPS and SSH. Apparently GitHub seems to recommend HTTPS over SSH:

If you have decided not to use the recommended HTTPS method, we can use SSH keys to establish a secure connection between your computer and GitHub. The steps below will walk you through generating an SSH key and then adding the public key to your GitHub account.

Yet I see no reason why HTTPS would actually be better than SSH. SSH should be more secure than HTTPS normally. So why would GitHub recommend HTTPS?

  • 1
    It's more efficient, apparently. There's a good article on it at [Pro Git](http://git-scm.com/2010/03/04/smart-http.html) –  Aug 29 '13 at 20:13
  • Does that mean I should rather use HTTPS over SSH? –  Aug 29 '13 at 21:13

2 Answers2

17

I got an answer from GitHub:

We recommend https since it is far simpler to set up and doesn't require knowledge or secure management of ssh keys.

Since ssh and https both use ssl behind the scenes, the benefit of requiring access to a private key rather than login credentials only holds if those keys are managed securely. For those unfamiliar with best practices around ssh keys, this is often harder to explain than it is to let them maintain username/passhprase login credentials using the procedures they already know. The recommendations are there so those who don't have a strong opinion either way can choose the most straightforward method. Anyone who prefers ssh keys is able to do so as they're fully supported.

Community
  • 1
  • 1
11

https is easier to use than ssh.

With ssh, you need to:

  • generate a public/private key
  • publish it on GitHub
  • launch (if you really want security) an ssh-agent to enter the passphrase you would have associated to your private key.

https just reuse the GitHub credential you already have.
If you don't want to enter your GitHub password for each git command, you can store those credentials in an encrypted ~/.netrc.gpg (or %HOME%/_netrc.gpg on windows).
See a full step-by-step example at "Is there a way to skip password typing when using https:// github".

I store that way several credentials (to GitHub, BitBucket, internal repos, ...) in one (encrypted) file, and I type one password (the gpg passphrase) once in the morning.
I can then access all those repos without having to enter my credential during the day.

Community
  • 1
  • 1
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • 1
    HTTPS is easier, but what about security? –  Aug 30 '13 at 19:53
  • @user2429940 same kind of security, as long as you don't leave your password in a plain text file. That is why the gpg encryption I mention in http://stackoverflow.com/a/18362082/6309 is so important. – VonC Aug 30 '13 at 20:03
  • @user2429940 for more details: http://security.stackexchange.com/questions/1599/what-is-the-difference-between-ssl-vs-ssh-which-is-more-secure – VonC Aug 30 '13 at 20:04