[18352] in athena10
Re: Fwd: [ACTION REQUIRED] Your GitHub account, athena-github-sync, will soon
daemon@ATHENA.MIT.EDU (Geoffrey Thomas)
Thu Jan 11 23:45:35 2024
MIME-Version: 1.0
Message-Id: <004cca1b-704f-44ee-8050-07d640d7ae4b@app.fastmail.com>
In-Reply-To:
<CAB18ysqJK0G5wq-eDStF4b8nU45BB2+ZbqpQo-YJwMC-3xVP=Q@mail.gmail.com>
Date: Thu, 11 Jan 2024 23:45:07 -0500
From: "Geoffrey Thomas" <geofft@ldpreload.com>
To: "Alex Chernyakhovsky" <achernya@mit.edu>
Cc: "Lizhou Sha" <slz@mit.edu>, debathena@mit.edu
Content-Type: multipart/alternative;
boundary=54c26fbff2344f1f9cc4254f3e3b93d7
--54c26fbff2344f1f9cc4254f3e3b93d7
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: quoted-printable
OK so is someone migrating this account to 2FA with a TOTP secret stored=
somewhere?
I'm happy to do it and put the TOTP secret in AFS - but neither the pass=
word in /mit/debathena/Private/athena-github-sync nor the one in drugsto=
re:/git/athena/private/github-password seem to work for me. Anyone know =
where the current password is, before I do a password reset?
I can instead put the secret on zulu or drugstore with a backup in my pe=
rsonal password manager if anyone feels like AFS (+ normal AFS backups) =
is not a good place for it.
On a side note:
- AFS on zulu seems to be wedged, which is blocking login because we do =
an aklog (you can Ctrl-C it). Any harm in rebooting the box? (Do I need =
to coordinate with ops or whatever the equivalent team is now to set mon=
itoring downtime?)
- athenasnap@drugstore's shell is tcsh?? There looks to be meaningful st=
uff in .bash_history, can we change this?
--=20
Geoffrey Thomas
geofft@ldpreload.com
On Tue, Dec 5, 2023, at 9:19 PM, Alex Chernyakhovsky wrote:
>=20
>=20
> On Tue, Dec 5, 2023 at 8:52=E2=80=AFPM Geoffrey Thomas <geofft@ldprelo=
ad.com> wrote:
>> __
>> Ah, right, deploy keys can write these days, but you have to set them=
up per-repository, and you can't use the same SSH key for multiple repo=
sitories, which is maybe annoying. (Or maybe scriptable.)
>>=20
>> I *think* you can create a GitHub App, store the private key on drugs=
tore, and on each hook call, sign a JWT with that private key and use th=
at to get a short-lived "installation access token", which you can then =
use as a password for git+https with username "x-access-token": https://=
docs.github.com/en/authentication/connecting-to-github-with-ssh/managing=
-deploy-keys#github-app-installation-access-tokens You can simplify this=
by installing a Git credential helper and pointing it at the private ke=
y. Looks like there are a few implementations of this already, e.g. http=
s://github.com/Avinode/git-credential-github-apps and https://github.com=
/uw-ipd/git-credential-github-app-auth.
> <insert the infamous mongodb comic strip>
> There's no way that's better than just storing the TOTP credentials fo=
r this user in some backup-enabled storage. We barely are succeeding in =
doing the debathena development we're paid^Wvolunteering to do, let alon=
e manage the infrastructure to manage a github app we barely use.=20
>>=20
>>=20
>> But that GitHub docs page also talks about machine users in the next =
section, so that makes it sound like it's reasonable to keep the machine=
user approach.
>>=20
>> There's a handful of easy ways to do TOTP from the command line e.g. =
https://github.com/pyauth/pyotp so we could keep the seed on disk (on dr=
ugstore or demeter or even AFS) for whenever someone needs to log in int=
eractively.
>>=20
>> --=20
>> Geoffrey Thomas
>> geofft@ldpreload.com
>>=20
>> On Tue, Dec 5, 2023, at 6:57 PM, Lizhou Sha wrote:
>>> I thought this is the account that is used by Debathena git repo hoo=
ks to push from local copy to GitHub. I don't think GHA is appropriate i=
n this case.
>>>=20
>>> We can however explore whether we can use GitHub action to perform t=
he pre-commit hooks for validation.
>>>=20
>>> OAuth token is certainly a possibility, but doesn't it still require=
an account to issue those tokens in the first place?
>>>=20
>>>=20
>>> I like the idea of keeping the TOTP token on the build host or the D=
ebathena git repo host (drug-store?). We can even keep it in a KeePass d=
atabase, as KeePassXC comes with built-in TOTP capabilities. (Problem: a=
re we comfortable installing KeePassXC on the repo host and allowing X-F=
orwarding??? Or is there a command line thing that can do TOTP?)
>>>=20
>>> Best,
>>> Lizhou
>>>=20
>>> On Tue, Dec 5, 2023 at 5:19=E2=80=AFPM Geoffrey Thomas <geofft@ldpre=
load.com> wrote:
>>>> __
>>>> GitHub has pretty good support these days for automation through Gi=
tHub Actions and OAuth tokens and such, without needing an actual accoun=
t. What is this account doing / can we migrate it to GHA?
>>>>=20
>>>> --=20
>>>> Geoffrey Thomas
>>>> geofft@ldpreload.com
>>>>=20
>>>> On Tue, Dec 5, 2023, at 5:39 PM, Lizhou Sha wrote:
>>>>> What do?
>>>>>=20
>>>>> ---------- Forwarded message ---------
>>>>> From: *GitHub* <noreply@github.com>
>>>>> Date: Tue, Dec 5, 2023 at 2:21=E2=80=AFPM
>>>>> Subject: [ACTION REQUIRED] Your GitHub account, athena-github-sync=
, will soon require 2FA
>>>>> To: Athena Github Synchronization Robot <athena-github-sync@mit.ed=
u>
>>>>>=20
>>>>>=20
>>>>> Hey athena-github-sync!
>>>>>=20
>>>>>=20
>>>>>=20
>>>>> We're reaching out to let you know that, as announced last year, w=
e have officially begun requiring users who contribute code on GitHub.co=
m to have two-factor authentication (2FA) enabled.
>>>>>=20
>>>>> Your account meets this criteria, and you will need to enroll in 2=
FA within 45 days, by January 19th, 2024 at 00:00 (UTC). After this date=
, your access to GitHub.com will be limited until you enroll in 2FA. Enr=
olling is easy, and we support several options, starting with TOTP apps =
and text messages (SMS) and then adding on passkeys and the GitHub Mobil=
e app.
>>>>>=20
>>>>> Click here to enroll in 2FA <https://github.com/settings/two_facto=
r_authentication/setup/intro>.
>>>>>=20
>>>>> Making the software supply chain more secure is a team effort, and=
we can't do it without you. Your enrollment in 2FA is an impactful step=
in keeping the world's software secure. If you want to learn more about=
this change, please take a look at our documentation about the program =
<https://docs.github.com/authentication/securing-your-account-with-two-f=
actor-authentication-2fa>.
>>>>>=20
>>>>> To see this and other security events for your account, visit your=
account security audit log. <https://github.com/settings/security-log>
>>>>>=20
>>>>> If you run into problems, please contact support by visiting the G=
itHub support page. <https://github.com/contact>
>>>>>=20
>>>>>=20
>>>>>=20
>>>>> Thanks,
>>>>> The GitHub Team
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>=20
>>>>> --
>>>>> Lizhou Sha
>>>>> Class of 2018
>>>>=20
>>>=20
>>>=20
>>> --
>>> Lizhou Sha
>>> Class of 2018
>>=20
--54c26fbff2344f1f9cc4254f3e3b93d7
Content-Type: text/html;charset=utf-8
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE html><html><head><title></title><style type=3D"text/css">p.Mso=
Normal,p.MsoNoSpacing{margin:0}
p.MsoNormal,p.MsoNoSpacing{margin:0}
p.MsoNormal,p.MsoNoSpacing{margin:0}
p.MsoNormal,p.MsoNoSpacing{margin:0}
p.MsoNormal,p.MsoNoSpacing{margin:0}</style></head><body><div>OK so is s=
omeone migrating this account to 2FA with a TOTP secret stored somewhere=
?<br></div><div><br></div><div>I'm happy to do it and put the TOTP secre=
t in AFS - but neither the password in /mit/debathena/Private/athena-git=
hub-sync nor the one in drugstore:/git/athena/private/github-password se=
em to work for me. Anyone know where the current password is, before I d=
o a password reset?<br></div><div><br></div><div>I can instead put the s=
ecret on zulu or drugstore with a backup in my personal password manager=
if anyone feels like AFS (+ normal AFS backups) is not a good place for=
it.<br></div><div><br></div><div>On a side note:<br></div><div>- AFS on=
zulu seems to be wedged, which is blocking login because we do an aklog=
(you can Ctrl-C it). Any harm in rebooting the box? (Do I need to coord=
inate with ops or whatever the equivalent team is now to set monitoring =
downtime?)<br></div><div>- athenasnap@drugstore's shell is tcsh?? There =
looks to be meaningful stuff in .bash_history, can we change this?<br></=
div><div><br></div><div id=3D"sig99062392"><div class=3D"signature">--&n=
bsp;<br></div><div class=3D"signature">Geoffrey Thomas<br></div><div cla=
ss=3D"signature">geofft@ldpreload.com<br></div></div><div><br></div><div=
>On Tue, Dec 5, 2023, at 9:19 PM, Alex Chernyakhovsky wrote:<br></div><b=
lockquote type=3D"cite" id=3D"qt" style=3D""><div dir=3D"ltr"><div dir=3D=
"ltr"><br></div><div><br></div><div class=3D"qt-gmail_quote"><div dir=3D=
"ltr" class=3D"qt-gmail_attr">On Tue, Dec 5, 2023 at 8:52=E2=80=AFPM Geo=
ffrey Thomas <<a href=3D"mailto:geofft@ldpreload.com">geofft@ldpreloa=
d.com</a>> wrote:<br></div><blockquote class=3D"qt-gmail_quote" style=
=3D"margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;=
border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,=
204, 204);padding-left:1ex;"><div class=3D"qt-msg-8760894771517475487">=
<div><u></u><br></div><div><div>Ah, right, deploy keys can write these d=
ays, but you have to set them up per-repository, and you can't use the s=
ame SSH key for multiple repositories, which is maybe annoying. (Or mayb=
e scriptable.)<br></div><div><br></div><div>I <i>think</i> you can creat=
e a GitHub App, store the private key on drugstore, and on each hook cal=
l, sign a JWT with that private key and use that to get a short-lived "i=
nstallation access token", which you can then use as a password for git+=
https with username "x-access-token": <a href=3D"https://docs.github.com=
/en/authentication/connecting-to-github-with-ssh/managing-deploy-keys#gi=
thub-app-installation-access-tokens" target=3D"_blank">https://docs.gith=
ub.com/en/authentication/connecting-to-github-with-ssh/managing-deploy-k=
eys#github-app-installation-access-tokens</a> You can simplify this by i=
nstalling a Git credential helper and pointing it at the private key. Lo=
oks like there are a few implementations of this already, e.g. <a href=3D=
"https://github.com/Avinode/git-credential-github-apps" target=3D"_blank=
">https://github.com/Avinode/git-credential-github-apps</a> and <a href=3D=
"https://github.com/uw-ipd/git-credential-github-app-auth" target=3D"_bl=
ank">https://github.com/uw-ipd/git-credential-github-app-auth</a>.<br></=
div></div></div></blockquote><div><insert the infamous mongodb comic =
strip><br></div><div>There's no way that's better than just storing t=
he TOTP credentials for this user in some backup-enabled storage. We bar=
ely are succeeding in doing the debathena development we're paid^Wvolunt=
eering to do, let alone manage the infrastructure to manage a github app=
we barely use. <br></div><blockquote class=3D"qt-gmail_quote" styl=
e=3D"margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex=
;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204=
, 204, 204);padding-left:1ex;"><div class=3D"qt-msg-8760894771517475487"=
><div><div><br></div><div><br></div><div>But that GitHub docs page also =
talks about machine users in the next section, so that makes it sound li=
ke it's reasonable to keep the machine user approach.<br></div><div><br>=
</div><div>There's a handful of easy ways to do TOTP from the command li=
ne e.g. <a href=3D"https://github.com/pyauth/pyotp" target=3D"_blank">ht=
tps://github.com/pyauth/pyotp</a> so we could keep the seed on disk (on =
drugstore or demeter or even AFS) for whenever someone needs to log in i=
nteractively.<br></div><div><br></div><div id=3D"qt-m_-87608947715174754=
87sig99062392"><div>-- <br></div><div>Geoffrey Thomas<br></div><div=
><a href=3D"mailto:geofft@ldpreload.com" target=3D"_blank">geofft@ldprel=
oad.com</a><br></div></div><div><br></div><div>On Tue, Dec 5, 2023, at 6=
:57 PM, Lizhou Sha wrote:<br></div><blockquote type=3D"cite" id=3D"qt-m_=
-8760894771517475487qt"><div dir=3D"ltr"><div>I thought this is the acco=
unt that is used by Debathena git repo hooks to push from local copy to =
GitHub. I don't think GHA is appropriate in this case.<br></div><div><br=
></div><div><div>We can however explore whether we can use GitHub action=
to perform the pre-commit hooks for validation.<br></div><div><br></div=
><div><div>OAuth token is certainly a possibility, but doesn't it still =
require an account to issue those tokens in the first place?<br></div><d=
iv><br></div></div><div><br></div><div>I like the idea of keeping the TO=
TP token on the build host or the Debathena git repo host (drug-store?).=
We can even keep it in a KeePass database, as KeePassXC comes with buil=
t-in TOTP capabilities. (Problem: are we comfortable installing KeePassX=
C on the repo host and allowing X-Forwarding??? Or is there a command li=
ne thing that can do TOTP?)<br></div><div><br></div><div>Best,<br></div>=
<div>Lizhou<br></div></div></div><div><br></div><div><div dir=3D"ltr">On=
Tue, Dec 5, 2023 at 5:19=E2=80=AFPM Geoffrey Thomas <<a href=3D"mail=
to:geofft@ldpreload.com" target=3D"_blank">geofft@ldpreload.com</a>> =
wrote:<br></div><blockquote style=3D"margin-top:0px;margin-right:0px;mar=
gin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-style=
:solid;border-left-color:rgb(204, 204, 204);padding-left:1ex;"><div><div=
><u></u><br></div><div><div>GitHub has pretty good support these days fo=
r automation through GitHub Actions and OAuth tokens and such, without n=
eeding an actual account. What is this account doing / can we migrate it=
to GHA?<br></div><div><br></div><div id=3D"qt-m_-8760894771517475487qt-=
m_2288010974555349326sig99062392"><div>-- <br></div><div>Geoffrey T=
homas<br></div><div><a href=3D"mailto:geofft@ldpreload.com" target=3D"_b=
lank">geofft@ldpreload.com</a><br></div></div><div><br></div><div>On Tue=
, Dec 5, 2023, at 5:39 PM, Lizhou Sha wrote:<br></div><blockquote type=3D=
"cite" id=3D"qt-m_-8760894771517475487qt-m_2288010974555349326qt"><div d=
ir=3D"ltr"><div>What do?<br></div><div><br></div><div><div dir=3D"ltr"><=
div>---------- Forwarded message ---------<br></div><div>From: <b dir=3D=
"auto">GitHub</b> <span dir=3D"auto"><<a href=3D"mailto:noreply@githu=
b.com" target=3D"_blank">noreply@github.com</a>></span><br></div><div=
>Date: Tue, Dec 5, 2023 at 2:21=E2=80=AFPM<br></div><div>Subject: [ACTIO=
N REQUIRED] Your GitHub account, athena-github-sync, will soon require 2=
FA<br></div><div>To: Athena Github Synchronization Robot <<a href=3D"=
mailto:athena-github-sync@mit.edu" target=3D"_blank">athena-github-sync@=
mit.edu</a>><br></div></div><div><br></div><div><br></div><p>Hey athe=
na-github-sync!<br></p><p><br></p><p>We're reaching out to let you know =
that, as announced last year, we have officially begun requiring users w=
ho
contribute code on GitHub.com to have two-factor authentication (2FA) =
enabled.<br></p><p>Your account meets this criteria, and you will need t=
o enroll in 2FA within 45 days, by January 19th, 2024 at 00:00 (UTC). Af=
ter this
date, your access to GitHub.com will be limited until you enroll in 2F=
A. Enrolling is easy, and we support several
options, starting with TOTP apps and text messages (SMS) and then addi=
ng on passkeys and the GitHub Mobile
app.<br></p><p><a href=3D"https://github.com/settings/two_factor_authe=
ntication/setup/intro" target=3D"_blank">Click here to enroll in 2FA</a>=
.<br></p><p>Making the software supply chain more secure is a team effor=
t, and we can't do it without you. Your enrollment in
2FA is an impactful step in keeping the world's software secure. If yo=
u want to learn more about this change,
please take a look at our <a href=3D"https://docs.github.com/authentic=
ation/securing-your-account-with-two-factor-authentication-2fa" target=3D=
"_blank">documentation about the program</a>.<br></p><p>To see this and =
other security events for your account, visit <a href=3D"https://github.=
com/settings/security-log" target=3D"_blank">your account security audit=
log.</a><br></p><p>If you run into problems, please contact support by =
visiting <a href=3D"https://github.com/contact" target=3D"_blank">the Gi=
tHub support page.</a><br></p><p><br></p><div>Thanks,<br></div><div>The =
GitHub Team<br></div><p><br></p><p><br></p></div><div><br></div><div><br=
></div><div><span>--</span><br></div><div dir=3D"ltr"><div dir=3D"ltr"><=
div>Lizhou Sha<br></div><div>Class of 2018<br></div></div></div></div></=
blockquote><div><br></div></div></div></blockquote></div><div><br></div>=
<div><br></div><div><span>--</span><br></div><div dir=3D"ltr"><div dir=3D=
"ltr"><div>Lizhou Sha<br></div><div>Class of 2018<br></div></div></div><=
/blockquote><div><br></div></div></div></blockquote></div></div></blockq=
uote><div><br></div></body></html>
--54c26fbff2344f1f9cc4254f3e3b93d7--
