I need to add "dynamically" ssh keys in the file ssh_config, but i can't edit it because it's read only. Did you already add somes keys in an heroku instance ?
Flow -> User signup -> New Key is generated and the public_key is sent to the User and the server edit the ssh_config file.
Related
I am trying to access the Github repo which sits behind an enterprise firewall (Open VPN). I am trying to access with my username and password but getting the below Exception. Any suggestions on how to access the repo with Spring Cloud.
application.properties:
spring.cloud.config.server.git.uri=https://github.com/company-repo/abc.git
spring.cloud.config.server.git.username=tarun
spring.cloud.config.server.git.password=xxxxx
spring.cloud.config.server.git.ignore-local-ssh-settings=true
Exception:
Error occured cloning to base directory. org.eclipse.jgit.api.errors.TransportException:
https://github.com/company-repo/abc.git: not authorized
Do not Use Your GitHub password in your app.prop file...You will get a Not Authorized exception. Instead Generate an access token.
Creating a personal access token
You should create a personal access token to use in place of a password with the command line or with the API.
Personal access tokens (PATs) are an alternative to using passwords for authentication to GitHub when using the GitHub API or the command line.
If you want to use a PAT to access resources owned by an organization that uses SAML SSO, you must authorize the PAT. For more information, see "About authentication with SAML single sign-on" and "Authorizing a personal access token for use with SAML single sign-on."
As a security precaution, GitHub automatically removes personal access tokens that haven't been used in a year.
Creating a token
Verify your email address, if it hasn't been verified yet.
In the upper-right corner of any page, click your profile photo, then click Settings.
Settings icon in the user bar
In the left sidebar, click Developer settings.
In the left sidebar, click Personal access tokens.
Click Generate new token.
Give your token a descriptive name.
Select the scopes, or permissions, you'd like to grant this token. To use your token to access repositories from the command line, select repo.
Click Generate token.
Click to copy the token to your clipboard. For security reasons, after you navigate off the page, you will not be able to see the token again.
Warning: Treat your tokens like passwords and keep them secret. When working with the API, use tokens as environment variables instead of hardcoding them into your programs.
To use your token to authenticate to an organization that uses SAML SSO, authorize the token for use with a SAML single-sign-on organization.
Using a token on the command line
Once you have a token, you can enter it instead of your password when performing Git operations over HTTPS.
For example, on the command line you would enter the following:
$ git clone https://github.com/username/repo.git
Username: your_username
Password: your_token
Personal access tokens can only be used for HTTPS Git operations. If your repository uses an SSH remote URL, you will need to switch the remote from SSH to HTTPS.
If you are not prompted for your username and password, your credentials may be cached on your computer. You can update your credentials in the Keychain to replace your old password with the token.
The way i made it work is :
Generate the Access Token on Github repo and provide read and admin rights to it
Use the Token as password
Credentials can be saved in Kubernetes as Secrets or inside Vault. Hope this helps.
I'm trying to create a Spring Cloud Config Server to retrieve configuration files from a private GitHub repository. My GitHub account has 2 Factor Authentication activated so I wasn't expecting the below configuration to work, which it didn't but I can't find any documentation to suggest what I need to do in order to make it work.
What configuration do I need to set that will allow the connection to work?
spring.cloud.config.server.git.uri=https://github.com/DanBonehill/photo-app-config
spring.cloud.config.server.git.username=USERNAME
spring.cloud.config.server.git.password=PASSWORD
Error
org.eclipse.jgit.api.errors.TransportException: https://github.com/DanBonehill/photo-app-config: not authorized
What you could try and do (have not tested this), is create a personal access token from the Github console.
Then configure
spring.cloud.config.server.git.username=<yourusername>
spring.cloud.config.server.git.password=<yourtoken>
Instead of using username and password you should use an ssh key, the official documentation can guide you through it!
Basic authentication using a password to Git is deprecated and will soon no longer work. Visit https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/ for more information around suggested workarounds and removal dates.
you solve this in 2 minutes, this problem is because at August 13, 2021 the github update the login form, to solve this.
1) login in your gitHub folow this path: Settings > Developer settings > Personal access tokens > Generate new token
2) Now set a long time to expiration token, check the "repo" to allow access repository with this token, and Generate token.
3) Now skill your github password because this token created is your new password, replace this at all application, server, terminal that need to access github.
4) Now configure your spring configuration server, this is a content of file "application.properties" of spring configuration server at path /src/main/resources/application.properties.
spring.cloud.config.server.git.uri= https://github.com/"username"/"repository" //your githur repository
spring.cloud.config.server.git.search-paths= myFilesFolder /if your files is into some folder
spring.cloud.config.server.git.username= testUsername // your username
spring.cloud.config.server.git.password= gti_FdsweecSoUSHPsdfw //Here is your new token created
Trying to figure out how to force command-line git to use Github token. If I clone repository with user name and token like git clone https://<user>:<mytoken>#git.web.com/organization/repositorythen everything works fine.
When I try to clone without the user name or token then the operation fails with an error:
remote: Password authentication is not available for Git Operations.
remote: You must use a personal access token or SSH key.
I would like to store that token somewhere so that I would not have to give it to git every time. Where should I store the token?
I tried to add token variable to a [user] section in .gitconfig file but it did not work.
Tried unsetting and setting (wincred) credential helper but that did not work either.
You should enable a credential manager, such as wincred, and then when Git prompts you for the username and password, enter the username and your token as the password. Git will then tell the credential helper to save the password in the system credential store, and future operations to the same server will reuse those credentials.
This is much more secure than using the token in the URL, because the system credential store is encrypted, whereas the file containing the URL is not.
It may be the case that you already have invalid credentials saved for that remote which are causing the failure; if so, see this answer for instructions on how to remove them so Git prompts you again, and then follow the steps above.
I recently hosted my website to the live server but i'm not sure how to change the credentials in my .env file for it to work on the live server.
you just need to create mail account on your server and go to mail setting of your server
you will found outgoing server url , username and password which you need to replace in .env file
I'm not sure if I should be asking this here or in Server Fault, feel free to flag the question and migrate it if necessary.
I have some servers which I would like to add an extra security layer. Actually we are using key authentication with passphrase.
We bought some Yubikeys (OTP password generator) that I would like to use. I created a system that validates the Yubikey and that the owner of the Yubikey is authorized to login. In order to use this system I created the ~/.ssh/rc where I ask the user to press the Yubikey and then I use a remote server to validate it.
So far so good, it works perfectly when trying to login via ssh. Here comes the problem: when I try to scp to a server that has this extra protection it throws the following error:
/dev/tty: No such device or address
The error is thrown by the line where I ask the user to enter the OTP:
read -sp "Press your Yubikey..." OTP < /dev/tty
This doesn't happen when I ssh from one server to another that has this extra protection.
scp doesn't start an interactive session so there isn't a terminal to connect to (and so no /dev/tty to read from).
You need to detect that and not try to read from it in that case.
That being said this is likely the wrong way to have gone about doing this. ssh is most likely configured on your system to use pam and there is a pam module for yubikey that can be used to use a yubikey as part of the ssh authentication for an account. See https://developers.yubico.com/yubico-pam/ for the basics.
Their configuration uses the yubikey as the only authentication you will need to configure pam slightly differently to get it to be an additional piece of required login information instead. (Assuming, of course, that you want this to work for the scp case instead of just skipping it for the scp case.)
As pointed out by Etan, you really should just use PAM for this.
Note that you don't have to ask for the user to press the Yubikey either. The pam_yubico.so module will pass through anything you type before the challenge response to the next module in the PAM stack. Look at the try_first_pass flag in pam_unix(8) for instance.
Just type the password, don't press enter, then press the Yubikey.
You can implement your own module to do the database check. Writing PAM modules isn't that hard.
Something like this in /etc/pam.d/sshd:
# auth
auth requisite /usr/local/lib/security/pam_yubico.so id=[yours] key=[yours] authfile=/etc/yubikey_mappings
auth required pam_unix.so no_warn try_first_pass
Try logging in:
% slogin hogfather
YubiKey for `philip': [password][yubikey]
Last login: Thu Mar 5 01:13:55 2015 from twoflower.trouble.is
OK, you want the yubikey authentication plus an authorization, that checks, whether the user is allowed to login at this server.
You might want to take a look at privacyIDEA.
This is an OTP authentication backend. You can even initialize your yubikeys if you like to. Use pam_radius to forward the auth request to privacyIDEA. (no hassle with scp).
privacyIDEA can
check the OTP value of the yubikey AND
use policies to check, if the user is allowed to login on that machine with this token type or token serial number. see readthedocs