Have you been using Git on the command line? Notice how you have to always type in your password? Not only is this SUPER annoying, it also presents a security issue. Here's a bunch of ways to authenticate Git so you don't have to type a password with every action. It will also keep your code more safe and secure.
If you're using Git and GitHub then there are a few ways to authenticate to ensure your code is secure.
SSH keys
If you work in tech, you've probably heard the term SSH keys. The term often comes up when you're trying to login or use a cloud service outside a web browser. It's also a term associated with connecting from one machine to another.
SSH or Secure Shell keys is the name of the key (or protocol) used when you need to authenticate in order to use a provider. Using SSH protocol makes a network much more secure. Someone can't just login remotely from one system into another. Instead, the encryption is used to manage this login and therefore secure your login details.
There are lots of different types of SSH keys. If you're on Windows, it's pretty easy to authenticate as you'll see below. If you're using macOS, you can generate SSH keys in order to authenticate your GitHub account. Check out the GitHub Docs for how to manually generate keys.
Personal Access Tokens
You don't just have to use the terminal in order to generate keys. If the command line isn't your cup of tea, then you can generate keys from the GitHub web:
- Go to GitHub.com
- Select "Settings"
- Scroll down and select "Developer Settings" from the left
- Select "Personal Access Tokens" from the left
- Create your Token
In these settings you can generate and manage tokens.
OAuth Applications
There's also a way for you to track which applications have access to your GitHub account:
- Go to GitHub.com
- Select "Settings"
- Scroll down to "Applications"
- Click "Authorized OAuth Apps"
Now you can see which applications have access to your GitHub account and revoke any if necessary.
Note, this isn't the same place as your Developer Settings OAuth Apps. If you are creating applications and you want to enable GitHub authentication, then check out the GitHub Docs on creating and authorising OAuth apps.
Credential Manager
Unless you're a Windows user (👋 there) you would have noticed you need to enter your password with every Git operation. When you install Git on Windows, a credential manager is automatically installed on your computer. This means you only need to log into your account once and then you are authenticated.
We can replicate this on macOS and Linux as well. Using a client manager such as Git Credential Manager Core (GCM Core) is one way to do single-factor authentication on macOS and Linux. The Linux version of this is still in preview, but you can try it out now.
git-ecosystem
/
git-credential-manager
Secure, cross-platform Git credential storage with authentication to GitHub, Azure Repos, and other popular Git hosting services.
Git Credential Manager
Git Credential Manager (GCM) is a secure Git credential helper built on .NET that runs on Windows, macOS, and Linux. It aims to provide a consistent and secure authentication experience, including multi-factor auth, to every major source control hosting service and platform.
GCM supports (in alphabetical order) Azure DevOps, Azure DevOps Server (formerly Team Foundation Server), Bitbucket, GitHub, and GitLab Compare to Git's built-in credential helpers (Windows: wincred, macOS: osxkeychain, Linux: gnome-keyring/libsecret), which provide single-factor authentication support for username/password only.
GCM replaces both the .NET Framework-based Git Credential Manager for Windows and the Java-based Git Credential Manager for Mac and Linux.
Install
See the installation instructions for the current version of GCM for install options for your operating system.
Current status
Git Credential Manager is currently available for Windows, macOS, and Linux* GCM only works with HTTP(S) remotes; you can still use Git with SSH:
- …
If you want to try a few things other than the Git command line or webpage, there are a few options.
Authenticate with GitHub Desktop
After GitHub Desktop was launched a couple of years ago, this application has been a great way to use GitHub. Not only can you can you manage your repos, but it's a great way to authenticate and manage your account.
Download GitHub Desktop and log into your account. This will open a browser window so you can authenticate. There's also a light and dark mode!
In a similar way you can also authenticate various applications such as editors like VS Code or Atom or other git clients like Git Kraken. Don't forget you can go into OAuth settings to see which applications you've given access to GitHub.
GitHub CLI
Yes it's still the command line, but GitHub has its own CLI. You can download it then use gh auth login and follow the steps. This will allow access to your GitHub account and you can continue using the command line as normal. You can even use gh auth login --with-token to use a personal token.
The CLI is available on Windows, macOS, and Linux. It's completely free and it's open source so you can even contribute to it.
Using physical security keys
Lately, physical security keys, such as a YubiKey, have been very popular. They are a great way to secure and can't be replicated.
YubiKeys are also really easy to setup as 2FA:
- Go to GitHub.com
- Click "Account Security"
- Scroll down to "Security keys" and click "edit"
- Select "Register new security key" and follow the prompts
If you decide to setup a security key, you'll need to save your recovery codes in a secure location. If you have 2FA or security keys for your account, recovery codes are the only way to access your account if you lose your YubiKey or can't use your 2FA. It was also recently announced that you can use a YubiKey as your SSH private key. Check out the YubiKey blog to read more about the announcement and how to setup your YubiKey.
YubiKeys are also really great because they can be used on desktops, laptops, and mobile phones. There's a bunch of different types from Lighting, to USB-A, USB-C, and even NFC. Read more about security keys on the GitHub Docs.
Up your security and save time
Hopefully that gives you some ideas on how to take your security to the next level AND save time by not typing in your password with every Git command. If you want to read more about security keys or SSH keys, check out the GitHub blog.
I'm curious to know what everyone's preferred method of authentication is. Let me know below.
Top comments (6)
Good morning.
There is no need to install any additional software. You can use Git with your standard ssh configuration by creating a keypair locally and set the public key in your GitHub preferences.
docs.github.com/en/github/authenti...
After that create a „config“ file in your .ssh directory and add some information to it then git uses the ssh credentials with your newly created key.
The complete setup is described here devconnected.com/how-to-setup-ssh-...
I was wondering about this statement. I use macOS and never have to enter password for every git operation. The git credentials manager is great, but one can use the old and trusted ssh-agent for managing ssh keys which avoids the need for password prompt.
Or I am misunderstanding. The password is prompted for every operation if using https protocol? Maybe that is indeed the case, but I never use it since ssh protocol is easiest to manage.
Going to send to all the noobs still using https with git-hub/lab and putting in their password on each commit. <3
Oh yay, so glad it's useful.
Seems like you only give half the story... So you have a Personal Access Token, so what do you do with it ? How do you make git permanently eat it ?
Just yesterday I noticed that I'm able to use Github via HTTPS without password (git CLI on Mac). I'm still curious why.