1

So recently Github have change policy and only allow SSH key for authentication

So I added a public SSH key from outside contributor to my account, but will this give the full access to this outside contributor to all my repos with read/write permissions?

this outside contributor should only have access to certain repo in my account, not other repos.

so my concern is , will this add SSH key will allow her to have full access?? Please help me understand, how exactly adding a SSH key will compromise the account security??

Thanks in advance.

Username Not Exist
  • 491
  • 2
  • 5
  • 13

2 Answers2

2

It is not the case that GitHub has changed to allow only SSH keys for authentication. GitHub used to allow users to use a username and password over HTTPS if they were not using 2FA, a username and personal access token over HTTPS, or SSH using an SSH key. The only thing that has changed is that you can no longer use a username and password for HTTPS; you must use a personal access token instead of a password if you wish to use HTTPS.

If you give another user one of your personal access tokens or add one of their SSH keys to your account, they will have access to all of your repositories. This is insecure, and so you should not do it.

Instead, you should grant your contributor access using the Manage Access interface, and make sure they can access the repository using their own account. If they are using HTTPS, then they may need to either switch to SSH by changing the URL with git remote set-url git@github.com/owner/name.git (replacing owner and name) or just follow the directions outlined in this answer.

The fact that a contributor cannot access their own account is an issue that they need to address instead of having them access your account.

bk2204
  • 64,793
  • 6
  • 84
  • 100
0

Yes, putting someone else's ssh key in your account will give them full access to all your repositories.

If you want to grant someone else access to your repositories, don't add their ssh key anywhere. Just set up the access permissions on your repositories to grant access to their github account. You can find access permissions by going to "Settings" and then selecting "Manage access" (this will take you to something like https://github.com/yourname/yourrepo/settings/access).

You'll find some documentation on this process here.

larsks
  • 277,717
  • 41
  • 399
  • 399
  • 1
    yes, that's how I manage the access, but then Github suddenly change the policy saying that it doesn't allow normal password authentication, only allow SSH key – Username Not Exist Aug 14 '21 at 18:13
  • So? You still don't add the ssh key to *your* account. You collaborator adds their ssh key to *their* account. – larsks Aug 14 '21 at 18:17
  • please explain how it supposed to works? the collaborator have her private key and public key, how she can access to certain repo in my account?? Thanks – Username Not Exist Aug 14 '21 at 18:19
  • The collaborator has access to your repositories because you have granted them access using the "manage access" settings for your repository. Read through the documentation to which I linked and try it out. – larsks Aug 14 '21 at 18:24
  • thanks for replying so fast, and yes, I grant her access using "manage access" setting, but this just happen since yesterday, she said can't access to it anymore, since Github update the policy, https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/#what-you-need-to-do-today . So this just happened since yesterday, so how can we manage access now? Adding the SSH key on my account would grant her all the read/write for all my account? – Username Not Exist Aug 14 '21 at 18:32