Skip to content

Latest commit

 

History

History
88 lines (54 loc) · 9.45 KB

github.md

File metadata and controls

88 lines (54 loc) · 9.45 KB

GitHub

Deploy Key, Machine User, Personal Access Token ??

  • Building User and Organization Pages sites - User, Organization, and Project Pages - User Documentation 提到 Deploy keys aren't supported for Organization Pages sites,要改用 machine users。
  • Deploy keys - Managing deploy keys | GitHub Developer Guide
    • An SSH key that grants access to a SINGLE REPOSITORY. GitHub attaches the public part of the key directly to your repository instead of a personal user account, and the private part of the key remains on your server. 一把專為 build job 產生的 key pair。
    • Deploy keys with WRITE ACCESS can perform the same actions as an organization member with admin access, or a collaborator on a personal repository. 在新增 deploy key 時,要勾選 "Allow write access" (Can this key be used to push to this repository? Deploy keys always have pull access.),這大概是帳號 SSH key 跟 repository 的 deploy key 最大的不同,後者可以限制 write access。
    • Deploy keys only grant access to a single repository. More complex projects may have many repositories to pull to the same server. 例如有 submodule 時? 多個 project 可以用同一個 deploy key??
    • Deploy keys are usually not protected by a PASSPHRASE, making the key easily accessible if the server is compromised. 是應該要保護。
  • Machine Users - Managing deploy keys | GitHub Developer Guide
    • If your server needs to access MULTIPLE REPOSITORIES, you can create a new GitHub account and attach an SSH key that will be USED EXCLUSIVELY FOR AUTOMATION. Since this GitHub account won't be used by a human, it's called a machine user. 就當成是是一般的 user 來用,但就無法像 deploy key 一樣限制其 write access (只有 organization 可以)。
    • 好處是 Multiple keys are not needed; one per server is adequate.
    • 主要的問題跟 deploy key 一樣,Machine user keys, like deploy keys, are usually not protected by a passphrase. 是因為 CI 通常不支援受密碼保護的 key??
  • Creating a personal access token for the command line - User Documentation
    • You can create a personal access token and use it IN PLACE OF A PASSWORD when performing Git operations over HTTPS with Git on the command line or the API. 取代走 HTTPS 時會用到的 password,所以也要像密碼一樣小心保存。
    • 提到啟用 2FA 時一定要用 personal access token;但這跟 SSH 無關,因為 SSH 是走 SSH key 而非密碼,這呼應了下面 "Personal access tokens can only be used for HTTPS Git operations. If your repository uses an SSH remote URL, you will need to switch the remote from SSH to HTTPS." 的說法。
    • Personal access token 在 Settings > Developer settings > Personal access tokens 下設定,比較特別的是 Select scopes 可以控制到很細,除了 repo (Full control of private repositories) 外,還有其他 admin 的控制;應該是因為 personal access token 也用在 GitHub API 的關係,不像 deploy key 是針對 repo 內容的讀寫。

Two-Factor Authentication (2FA)

  • Securing your account with two-factor authentication (2FA) - User Documentation #ril

  • About Two-Factor Authentication - User Documentation

    • Two-factor authentication, or 2FA, is an EXTRA LAYER of security used when logging into websites or apps. With 2FA, you have to log in with your username and password and provide another form of authentication that only you know or have access to.

    • For GitHub, the second form of authentication is a code that's generated by an application on your mobile device or sent as a text message (SMS). After you enable 2FA, GitHub generates an AUTHENTICATION CODE any time someone attempts to sign into your GitHub account. The only way someone can sign into your account is if they know both your password and have access to the authentication code on your phone.

      After you configure 2FA using a mobile app or via text message, you can add a security key, like a fingerprint reader or Windows Hello. For more information, see "WebAuthn".

      在 2FA 外又有另一層保護 ??

    • Then, you can configure additional RECOVERY METHODS in case you lose access to your two-factor authentication credentials. For more information on setting up 2FA, see "Configuring two-factor authentication" and "Configuring two-factor authentication recovery methods."

    • We strongly urge you to turn on 2FA for the safety of your account, not only on GitHub, but on other websites and apps that support it. You can use 2FA to access GitHub via:

      • The GitHub website
      • The GitHub API
      • GitHub Desktop

      跟 SSH key 存取 repo 無關。

    Two-factor authentication recovery codes

    • When you configure two-factor authentication, you'll download and save your 2FA recovery codes. If you lose access to your phone, you can authenticate to GitHub using your RECOVERY CODES. For more information, see "Recovering your account if you lose your 2FA credentials."

      Warning: For security reasons, GitHub Support may not be able to restore access to accounts with two-factor authentication enabled if you lose your two-factor authentication credentials or lose access to your account recovery methods. For more information, see "Recovering your account if you lose your 2FA credentials."

      要 GitHub 客服確認你就是宣稱的那個人,確實有困難,但 GitHub > Settings > Security > Two-factor authentication 下是可以重新拿回 recovery code 的。

      除了 recovery code,還有 Fallback SMS number 與 Recovery tokens 可供選擇 #ril

    Requiring two-factor authentication in your organization

    • Organization owners can REQUIRE that organization members, billing managers, and outside collaborators use two-factor authentication to secure their personal accounts. For more information, see "Requiring two-factor authentication in your organization."

  • When you'll be asked for your SSH key passphrase as a password - Providing your 2FA authentication code - User Documentation

    透過 SSH URL 存取 repo 時,要輸入的是 SSH key passphrase 而非 2FA code (跟 2FA 無關);若是走 HTTPS URL 的話,就要輸入 personal access token。

  • Providing your 2FA authentication code - User Documentation #ril

    • 啟用 2FA 後,存取 GitHub 除了要提供 password,還會被問 2FA authentication code -- 依設定不同,authentication code 可能由手機上的 app 產生,也可能由 SMS 傳送過來。
    • 如果 authentication code 多次驗證失敗,有可能是手機的時間不對。

  • Requiring two-factor authentication in your organization - User Documentation 從 organization 的層級要求 2FA,沒有啟用 2FA 的人會從 organization 被移除,要啟用 2FA 並重新接受 invitation 才能回到 organization #ril

  • 啟用 2FA 時,要選 Set up using an app 或 Set up using SMS。

    • 按下 Set up using an app 後會提示 16 組 recovery code -- 收不到 authentication code 時可以用,建議存到 password manager (例如 Lastpass、1Password、Keeper 等)。
    • 安裝 Google Authenticator,掃描條碼就可以新增一個帳戶並取得 authentication code,輸入後即可完成 2FA 啟用。

  • Configuring two-factor authentication using a TOTP mobile app - Configuring two-factor authentication - GitHub Help

    • A TIME-BASED one-time password (TOTP) application automatically generates an authentication code that changes after a certain period of time. We recommend using cloud-based TOTP apps such as: 1Password, Authy, LastPass Authenticator

      竟然沒有 Google Authenticator?

    • Tip: To configure authentication via TOTP on MULTIPLE DEVICES, during setup, scan the QR code using each device AT THE SAME TIME.

      If 2FA is already enabled and you want to add another device, you must re-configure 2FA from your security settings.

      聽起來 QR code 是有時限的,之後若要換手機 (或重裝 app) 就得重新設定;按之前的經驗,2FA 需先改用 SMS 再切回 mobile app (切換過中會重新產生 recovery codes),否則設定畫面的 Set up using an app 按下去也只是看到 recovery codes 而已。

  • Configuring two-factor authentication via a TOTP mobile app - User Documentation SMS 在美國以外可能收不到 #ril

Search ??