1

Let's imagine the current scenario :

We have a Github repository account, the repo, protected both by a password and an ssh key. We have an http proxy which possesses both the correct password and ssh key to access a repo under the account. Finally we have a worker which posses neither the password or the key but can access the proxy.

Is there a way to hijack the http requests from the workers at the http proxy and then add the authentication needed without the knowledge of the worker, letting them thus access the repo without having access to the authentication methods?

Thanks in advance, any help really appreciated !

Solerus
  • 23
  • 1
  • 5

1 Answers1

1

A GitHub repository is not password protected: its owner account is.
An SSH key might have an associated passphrase.

Normally, an HTTP proxy is used for HTTPS queries, not SSH URLs.
It is true you can do SSH access through HTTP proxy, but the user would be:

  • without the private SSH key
  • without the GitHub account password
  • with no collaboration right over the repository (meaning, they are not declared as collaborator)

Such a user would not be able to access the repository at all.

As mentioned in the comments, you would need to deploy your own proxy to add authentication headers to the client query.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • You are 100% right I meant the account, not the repo. If I can rephrase the idea a bit : the goal would be to intercept the git queries from the end user at the proxy and then add authentication at this point before forwarding it to the git server (github in this case). Is this possible with an HTTP proxy? – Solerus Jun 30 '20 at 06:19
  • 1
    @Solerus Matbe, if you own the proxy and add the missing bits yourself: https://stackoverflow.com/a/51176368/6309 (thos show adding the proxy-authorization, which is not what you want, but you could add other headers) – VonC Jun 30 '20 at 06:23
  • Thanks for the answer! So I would need to craft the proxy myself to intercept the requests add the authentication header (or is it in the body), send it to the git server then forward it back to the end user? – Solerus Jun 30 '20 at 06:47
  • @Solerus Yes, that would be the idea. I don't kow of a native proxy feature which would allow you to add authentication, without you installing your own proxy. – VonC Jun 30 '20 at 07:05