[18330] in athena10
Re: Fwd: [ACTION REQUIRED] Your GitHub account, athena-github-sync,
daemon@ATHENA.MIT.EDU (Alex Chernyakhovsky)
Tue Dec 5 21:20:06 2023
MIME-Version: 1.0
In-Reply-To: <c89e2ade-3114-4458-813a-24c2737d200d@app.fastmail.com>
From: "Alex Chernyakhovsky" <achernya@mit.edu>
Date: Tue, 5 Dec 2023 21:19:47 -0500
Message-ID: <CAB18ysqJK0G5wq-eDStF4b8nU45BB2+ZbqpQo-YJwMC-3xVP=Q@mail.gmail.com>
To: Geoffrey Thomas <geofft@ldpreload.com>
CC: Lizhou Sha <slz@mit.edu>, <debathena@mit.edu>
Content-Type: multipart/alternative; boundary="000000000000d0ccf8060bcdfc3a"
--000000000000d0ccf8060bcdfc3a
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
On Tue, Dec 5, 2023 at 8:52=E2=80=AFPM Geoffrey Thomas <geofft@ldpreload.co=
m> wrote:
> Ah, right, deploy keys can write these days, but you have to set them up
> per-repository, and you can't use the same SSH key for multiple
> repositories, which is maybe annoying. (Or maybe scriptable.)
>
> I *think* you can create a GitHub App, store the private key on
> drugstore, and on each hook call, sign a JWT with that private key and us=
e
> that to get a short-lived "installation access token", which you can then
> use as a password for git+https with username "x-access-token":
> https://docs.github.com/en/authentication/connecting-to-github-with-ssh/m=
anaging-deploy-keys#github-app-installation-access-tokens
> You can simplify this by installing a Git credential helper and pointing =
it
> at the private key. Looks like there are a few implementations of this
> already, e.g. https://github.com/Avinode/git-credential-github-apps and
> https://github.com/uw-ipd/git-credential-github-app-auth.
>
<insert the infamous mongodb comic strip>
There's no way that's better than just storing the TOTP credentials for
this user in some backup-enabled storage. We barely are succeeding in doing
the debathena development we're paid^Wvolunteering to do, let alone manage
the infrastructure to manage a github app we barely use.
>
>
> But that GitHub docs page also talks about machine users in the next
> section, so that makes it sound like it's reasonable to keep the machine
> user approach.
>
> There's a handful of easy ways to do TOTP from the command line e.g.
> https://github.com/pyauth/pyotp so we could keep the seed on disk (on
> drugstore or demeter or even AFS) for whenever someone needs to log in
> interactively.
>
> --
> Geoffrey Thomas
> geofft@ldpreload.com
>
> On Tue, Dec 5, 2023, at 6:57 PM, Lizhou Sha wrote:
>
> I thought this is the account that is used by Debathena git repo hooks to
> push from local copy to GitHub. I don't think GHA is appropriate in this
> case.
>
> We can however explore whether we can use GitHub action to perform the
> pre-commit hooks for validation.
>
> OAuth token is certainly a possibility, but doesn't it still require an
> account to issue those tokens in the first place?
>
>
> I like the idea of keeping the TOTP token on the build host or the
> Debathena git repo host (drug-store?). We can even keep it in a KeePass
> database, as KeePassXC comes with built-in TOTP capabilities. (Problem: a=
re
> we comfortable installing KeePassXC on the repo host and allowing
> X-Forwarding??? Or is there a command line thing that can do TOTP?)
>
> Best,
> Lizhou
>
> On Tue, Dec 5, 2023 at 5:19=E2=80=AFPM Geoffrey Thomas <geofft@ldpreload.=
com>
> wrote:
>
>
> GitHub has pretty good support these days for automation through GitHub
> Actions and OAuth tokens and such, without needing an actual account. Wha=
t
> is this account doing / can we migrate it to GHA?
>
> --
> Geoffrey Thomas
> geofft@ldpreload.com
>
> On Tue, Dec 5, 2023, at 5:39 PM, Lizhou Sha wrote:
>
> What do?
>
> ---------- Forwarded message ---------
> From: *GitHub* <noreply@github.com>
> Date: Tue, Dec 5, 2023 at 2:21=E2=80=AFPM
> Subject: [ACTION REQUIRED] Your GitHub account, athena-github-sync, will
> soon require 2FA
> To: Athena Github Synchronization Robot <athena-github-sync@mit.edu>
>
>
> Hey athena-github-sync!
>
>
> We're reaching out to let you know that, as announced last year, we have
> officially begun requiring users who contribute code on GitHub.com to hav=
e
> two-factor authentication (2FA) enabled.
>
> Your account meets this criteria, and you will need to enroll in 2FA
> within 45 days, by January 19th, 2024 at 00:00 (UTC). After this date, yo=
ur
> access to GitHub.com will be limited until you enroll in 2FA. Enrolling i=
s
> easy, and we support several options, starting with TOTP apps and text
> messages (SMS) and then adding on passkeys and the GitHub Mobile app.
>
> Click here to enroll in 2FA
> <https://github.com/settings/two_factor_authentication/setup/intro>.
>
> Making the software supply chain more secure is a team effort, and we
> can't do it without you. Your enrollment in 2FA is an impactful step in
> keeping the world's software secure. If you want to learn more about this
> change, please take a look at our documentation about the program
> <https://docs.github.com/authentication/securing-your-account-with-two-fa=
ctor-authentication-2fa>
> .
>
> To see this and other security events for your account, visit your
> account security audit log. <https://github.com/settings/security-log>
>
> If you run into problems, please contact support by visiting the GitHub
> support page. <https://github.com/contact>
>
>
> Thanks,
> The GitHub Team
>
>
>
>
>
> --
> Lizhou Sha
> Class of 2018
>
>
>
>
> --
> Lizhou Sha
> Class of 2018
>
>
>
--000000000000d0ccf8060bcdfc3a
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote">=
<div dir=3D"ltr" class=3D"gmail_attr">On Tue, Dec 5, 2023 at 8:52=E2=80=AFP=
M Geoffrey Thomas <<a href=3D"mailto:geofft@ldpreload.com">geofft@ldprel=
oad.com</a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"=
margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-lef=
t:1ex"><div class=3D"msg-8760894771517475487"><u></u><div><div>Ah, right, d=
eploy keys can write these days, but you have to set them up per-repository=
, and you can't use the same SSH key for multiple repositories, which i=
s maybe annoying. (Or maybe scriptable.)<br></div><div><br></div><div>I <i>=
think</i> you can create a GitHub App, store the private key on drugstore, =
and on each hook call, sign a JWT with that private key and use that to get=
a short-lived "installation access token", which you can then us=
e as a password for git+https with username "x-access-token": <a =
href=3D"https://docs.github.com/en/authentication/connecting-to-github-with=
-ssh/managing-deploy-keys#github-app-installation-access-tokens" target=3D"=
_blank">https://docs.github.com/en/authentication/connecting-to-github-with=
-ssh/managing-deploy-keys#github-app-installation-access-tokens</a> You can=
simplify this by installing a Git credential helper and pointing it at the=
private key. Looks like there are a few implementations of this already, e=
.g. <a href=3D"https://github.com/Avinode/git-credential-github-apps" targe=
t=3D"_blank">https://github.com/Avinode/git-credential-github-apps</a> and =
<a href=3D"https://github.com/uw-ipd/git-credential-github-app-auth" target=
=3D"_blank">https://github.com/uw-ipd/git-credential-github-app-auth</a>.</=
div></div></div></blockquote><div><insert the infamous mongodb comic str=
ip></div><div>There's no way that's better than just storing the=
TOTP credentials for this user in some backup-enabled storage. We barely a=
re succeeding in doing the debathena development we're paid^Wvolunteeri=
ng to do, let alone manage the infrastructure to manage a github app we bar=
ely use.=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0=
px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div =
class=3D"msg-8760894771517475487"><div><div> <br></div><div><br></div><div>=
But that GitHub docs page also talks about machine users in the next sectio=
n, so that makes it sound like it's reasonable to keep the machine user=
approach.<br></div><div><br></div><div>There's a handful of easy ways =
to do TOTP from the command line e.g. <a href=3D"https://github.com/pyauth/=
pyotp" target=3D"_blank">https://github.com/pyauth/pyotp</a> so we could ke=
ep the seed on disk (on drugstore or demeter or even AFS) for whenever some=
one needs to log in interactively.<br></div><div><br></div><div id=3D"m_-87=
60894771517475487sig99062392"><div>--=C2=A0<br></div><div>Geoffrey Thomas<b=
r></div><div><a href=3D"mailto:geofft@ldpreload.com" target=3D"_blank">geof=
ft@ldpreload.com</a><br></div></div><div><br></div><div>On Tue, Dec 5, 2023=
, at 6:57 PM, Lizhou Sha wrote:<br></div><blockquote type=3D"cite" id=3D"m_=
-8760894771517475487qt"><div dir=3D"ltr"><div>I thought this is the account=
that is used by Debathena git repo hooks to push from local copy to GitHub=
. I don't think GHA is appropriate in this case.<br></div><div><br></di=
v><div><div>We can however explore whether we can use GitHub action to perf=
orm the pre-commit hooks for validation.<br></div><div><br></div><div><div>=
OAuth token is certainly a possibility, but doesn't it still require an=
account to issue those tokens in the first place?<br></div><div><br></div>=
</div><div><br></div><div>I like the idea of keeping the TOTP token on the =
build host or the Debathena git repo host (drug-store?). We can even keep i=
t in a KeePass database, as KeePassXC comes with built-in TOTP capabilities=
. (Problem: are we comfortable installing KeePassXC on the repo host and al=
lowing X-Forwarding??? Or is there a command line thing that can do TOTP?)<=
br></div><div><br></div><div>Best,<br></div><div>Lizhou<br></div></div></di=
v><div><br></div><div><div dir=3D"ltr">On Tue, Dec 5, 2023 at 5:19=E2=80=AF=
PM Geoffrey Thomas <<a href=3D"mailto:geofft@ldpreload.com" target=3D"_b=
lank">geofft@ldpreload.com</a>> wrote:<br></div><blockquote style=3D"mar=
gin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1=
ex"><div><div><u></u><br></div><div><div>GitHub has pretty good support the=
se days for automation through GitHub Actions and OAuth tokens and such, wi=
thout needing an actual account. What is this account doing / can we migrat=
e it to GHA?<br></div><div><br></div><div id=3D"m_-8760894771517475487qt-m_=
2288010974555349326sig99062392"><div>--=C2=A0<br></div><div>Geoffrey Thomas=
<br></div><div><a href=3D"mailto:geofft@ldpreload.com" target=3D"_blank">ge=
offt@ldpreload.com</a><br></div></div><div><br></div><div>On Tue, Dec 5, 20=
23, at 5:39 PM, Lizhou Sha wrote:<br></div><blockquote type=3D"cite" id=3D"=
m_-8760894771517475487qt-m_2288010974555349326qt"><div dir=3D"ltr"><div>Wha=
t do?<br></div><div><br></div><div><div dir=3D"ltr"><div>---------- Forward=
ed message ---------<br></div><div>From: <b dir=3D"auto">GitHub</b> <span d=
ir=3D"auto"><<a href=3D"mailto:noreply@github.com" target=3D"_blank">nor=
eply@github.com</a>></span><br></div><div>Date: Tue, Dec 5, 2023 at 2:21=
=E2=80=AFPM<br></div><div>Subject: [ACTION REQUIRED] Your GitHub account, a=
thena-github-sync, will soon require 2FA<br></div><div>To: Athena Github Sy=
nchronization Robot <<a href=3D"mailto:athena-github-sync@mit.edu" targe=
t=3D"_blank">athena-github-sync@mit.edu</a>><br></div></div><div><br></d=
iv><div><br></div><p>Hey athena-github-sync!<br></p><p><br></p><p>We're=
reaching out to let you know that, as announced last year, we have officia=
lly begun requiring users who
contribute code on GitHub.com to have two-factor authentication (2FA) ena=
bled.<br></p><p>Your account meets this criteria, and you will need to enro=
ll in 2FA within 45 days, by January 19th, 2024 at 00:00 (UTC). After this
date, your access to GitHub.com will be limited until you enroll in 2FA. =
Enrolling is easy, and we support several
options, starting with TOTP apps and text messages (SMS) and then adding =
on passkeys and the GitHub Mobile
app.<br></p><p><a href=3D"https://github.com/settings/two_factor_authenti=
cation/setup/intro" target=3D"_blank">Click here to enroll in 2FA</a>.<br><=
/p><p>Making the software supply chain more secure is a team effort, and we=
can't do it without you. Your enrollment in
2FA is an impactful step in keeping the world's software secure. If y=
ou want to learn more about this change,
please take a look at our <a href=3D"https://docs.github.com/authenticati=
on/securing-your-account-with-two-factor-authentication-2fa" target=3D"_bla=
nk">documentation about the program</a>.<br></p><p>To see this and other se=
curity events for your account, visit <a href=3D"https://github.com/setting=
s/security-log" target=3D"_blank">your account security audit log.</a><br><=
/p><p>If you run into problems, please contact support by visiting <a href=
=3D"https://github.com/contact" target=3D"_blank">the GitHub support page.<=
/a><br></p><p><br></p><div>Thanks,<br></div><div>The GitHub Team<br></div><=
p><br></p><p><br></p></div><div><br></div><div><br></div><div><span>--</spa=
n><br></div><div dir=3D"ltr"><div dir=3D"ltr"><div>Lizhou Sha<br></div><div=
>Class of 2018<br></div></div></div></div></blockquote><div><br></div></div=
></div></blockquote></div><div><br></div><div><br></div><div><span>--</span=
><br></div><div dir=3D"ltr"><div dir=3D"ltr"><div>Lizhou Sha<br></div><div>=
Class of 2018<br></div></div></div></blockquote><div><br></div></div></div>=
</blockquote></div></div>
--000000000000d0ccf8060bcdfc3a--
