Cannot commit from command line using github 2FA

Question

I can't commit to my repos using username/pass with git via the command line now that I've got 2FA enabled on my account.

I have a "user access token" but I really, really hate it. So now I can only commit when I have this super long string copied into my clipboard, and if anyone sees that string or somehow gains access to my clipboard or I paste it somewhere by mistake or I put it in a file and the file is accessed the attacker can just wreck havoc on my repos?

I really don't understand how this is more secure than remembering a 12 digit random number/letter/symbol password that is not written down anywhere. I must be doing something wrong or misunderstanding how to use this personal access token. What am I doing wrong?

Put the token in a file on your system (readable only by you), and source it from that file? Or does the token change on every login? — merlin2011, Jul 12 '14 at 01:12
If you combine this with `get-credential-winstore` https://gitcredentialstore.codeplex.com, this problem mostly goes away. You just enter your user access token once and git remembers it going forward. — vcsjones, Jul 12 '14 at 01:12
@merlin2011, I have been looking at that but there is something about `tty` that is preventing variables being echoed from environment. @vcsjones I am using ubuntu 12.04 — bvpx, Jul 12 '14 at 01:29

score 3 · Accepted Answer · edited May 23 '17 at 11:58

3

First, you can cache that token: see:

"Is there a way to skip password typing when using https:// github"
(I use the credential helper netrc both on Ubuntu, Red Hat and Windows)
"Configure Git clients, like GitHub for Windows, to not ask for authentication".

Second, the main difference between a (shorter) account password and a token is:

you can revoke a token (and keep your password)
you can have multiple tokens (which can be created for a limited use or time, and then revoked)

edited May 23 '17 at 11:58

Community

1
1

answered Jul 12 '14 at 03:37

VonC

1,262,500
529
4,410
5,250

Yeah, I ended up going with `.netrc`, which doesn't make me feel too comfortable. I'm reading a bit about GPG encrypting the netrc file, but I still don't feel good knowing that the GPG key is on the machine in the first place... – bvpx Jul 12 '14 at 03:47
1

A passphrase protected gpg key, mind you. That should be secure enough. – VonC Jul 12 '14 at 03:49
1

And the additional benefit is that you can store *multiple credentials* in your encrypted `.netrc.asc` file: one passphrase to enter once per session... and you can push to multiple servers without having to enter any of those passwords. – VonC Jul 12 '14 at 03:50

Cannot commit from command line using github 2FA

1 Answers1