[18353] in athena10
Re: Fwd: [ACTION REQUIRED] Your GitHub account, athena-github-sync,
daemon@ATHENA.MIT.EDU (Alex Chernyakhovsky)
Fri Jan 12 09:23:54 2024
MIME-Version: 1.0
In-Reply-To: <004cca1b-704f-44ee-8050-07d640d7ae4b@app.fastmail.com>
From: "Alex Chernyakhovsky" <achernya@mit.edu>
Date: Fri, 12 Jan 2024 09:23:37 -0500
Message-ID: <CAB18ysoP-_7=0Yn=5d1_9E6640nOd+=fx19oOh7rurs-_k=DPQ@mail.gmail.com>
To: Geoffrey Thomas <geofft@ldpreload.com>
Cc: Alex Chernyakhovsky <achernya@mit.edu>, Lizhou Sha <slz@mit.edu>,
debathena@mit.edu
Content-Type: multipart/alternative; boundary="0000000000009a77a6060ec06950"
--0000000000009a77a6060ec06950
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
On Thu, Jan 11, 2024 at 11:45=E2=80=AFPM Geoffrey Thomas <geofft@ldpreload.=
com>
wrote:
> OK so is someone migrating this account to 2FA with a TOTP secret stored
> somewhere?
>
> I'm happy to do it and put the TOTP secret in AFS - but neither the
> password in /mit/debathena/Private/athena-github-sync nor the one in
> drugstore:/git/athena/private/github-password seem to work for me. Anyone
> know where the current password is, before I do a password reset?
>
I think this password being out of sync matches my recollection, and we
should reset it and update both these files. I think I ran into this "at
some point recently-ish" but don't remember dealing.
>
> I can instead put the secret on zulu or drugstore with a backup in my
> personal password manager if anyone feels like AFS (+ normal AFS backups)
> is not a good place for it.
>
If the plaintext password is in AFS I think putting the TOTP secret next to
it is honestly no worse than our previous state.
>
> On a side note:
> - AFS on zulu seems to be wedged, which is blocking login because we do a=
n
> aklog (you can Ctrl-C it). Any harm in rebooting the box? (Do I need to
> coordinate with ops or whatever the equivalent team is now to set
> monitoring downtime?)
>
I believe a reboot is totally fine without coordination.
> - athenasnap@drugstore's shell is tcsh?? There looks to be meaningful
> stuff in .bash_history, can we change this?
>
I believe this is puppet managed and we'd need to ask Ops. I have no
objection to it being bash.
>
> --
> Geoffrey Thomas
> geofft@ldpreload.com
>
> On Tue, Dec 5, 2023, at 9:19 PM, Alex Chernyakhovsky wrote:
>
>
>
> On Tue, Dec 5, 2023 at 8:52=E2=80=AFPM Geoffrey Thomas <geofft@ldpreload.=
com>
> wrote:
>
>
> Ah, right, deploy keys can write these days, but you have to set them up
> per-repository, and you can't use the same SSH key for multiple
> repositories, which is maybe annoying. (Or maybe scriptable.)
>
> I *think* you can create a GitHub App, store the private key on
> drugstore, and on each hook call, sign a JWT with that private key and us=
e
> that to get a short-lived "installation access token", which you can then
> use as a password for git+https with username "x-access-token":
> https://docs.github.com/en/authentication/connecting-to-github-with-ssh/m=
anaging-deploy-keys#github-app-installation-access-tokens
> You can simplify this by installing a Git credential helper and pointing =
it
> at the private key. Looks like there are a few implementations of this
> already, e.g. https://github.com/Avinode/git-credential-github-apps and
> https://github.com/uw-ipd/git-credential-github-app-auth.
>
> <insert the infamous mongodb comic strip>
> There's no way that's better than just storing the TOTP credentials for
> this user in some backup-enabled storage. We barely are succeeding in doi=
ng
> the debathena development we're paid^Wvolunteering to do, let alone manag=
e
> the infrastructure to manage a github app we barely use.
>
>
>
> But that GitHub docs page also talks about machine users in the next
> section, so that makes it sound like it's reasonable to keep the machine
> user approach.
>
> There's a handful of easy ways to do TOTP from the command line e.g.
> https://github.com/pyauth/pyotp so we could keep the seed on disk (on
> drugstore or demeter or even AFS) for whenever someone needs to log in
> interactively.
>
> --
> Geoffrey Thomas
> geofft@ldpreload.com
>
> On Tue, Dec 5, 2023, at 6:57 PM, Lizhou Sha wrote:
>
> I thought this is the account that is used by Debathena git repo hooks to
> push from local copy to GitHub. I don't think GHA is appropriate in this
> case.
>
> We can however explore whether we can use GitHub action to perform the
> pre-commit hooks for validation.
>
> OAuth token is certainly a possibility, but doesn't it still require an
> account to issue those tokens in the first place?
>
>
> I like the idea of keeping the TOTP token on the build host or the
> Debathena git repo host (drug-store?). We can even keep it in a KeePass
> database, as KeePassXC comes with built-in TOTP capabilities. (Problem: a=
re
> we comfortable installing KeePassXC on the repo host and allowing
> X-Forwarding??? Or is there a command line thing that can do TOTP?)
>
> Best,
> Lizhou
>
> On Tue, Dec 5, 2023 at 5:19=E2=80=AFPM Geoffrey Thomas <geofft@ldpreload.=
com>
> wrote:
>
>
> GitHub has pretty good support these days for automation through GitHub
> Actions and OAuth tokens and such, without needing an actual account. Wha=
t
> is this account doing / can we migrate it to GHA?
>
> --
> Geoffrey Thomas
> geofft@ldpreload.com
>
> On Tue, Dec 5, 2023, at 5:39 PM, Lizhou Sha wrote:
>
> What do?
>
> ---------- Forwarded message ---------
> From: *GitHub* <noreply@github.com>
> Date: Tue, Dec 5, 2023 at 2:21=E2=80=AFPM
> Subject: [ACTION REQUIRED] Your GitHub account, athena-github-sync, will
> soon require 2FA
> To: Athena Github Synchronization Robot <athena-github-sync@mit.edu>
>
>
> Hey athena-github-sync!
>
>
> We're reaching out to let you know that, as announced last year, we have
> officially begun requiring users who contribute code on GitHub.com to hav=
e
> two-factor authentication (2FA) enabled.
>
> Your account meets this criteria, and you will need to enroll in 2FA
> within 45 days, by January 19th, 2024 at 00:00 (UTC). After this date, yo=
ur
> access to GitHub.com will be limited until you enroll in 2FA. Enrolling i=
s
> easy, and we support several options, starting with TOTP apps and text
> messages (SMS) and then adding on passkeys and the GitHub Mobile app.
>
> Click here to enroll in 2FA
> <https://github.com/settings/two_factor_authentication/setup/intro>.
>
> Making the software supply chain more secure is a team effort, and we
> can't do it without you. Your enrollment in 2FA is an impactful step in
> keeping the world's software secure. If you want to learn more about this
> change, please take a look at our documentation about the program
> <https://docs.github.com/authentication/securing-your-account-with-two-fa=
ctor-authentication-2fa>
> .
>
> To see this and other security events for your account, visit your
> account security audit log. <https://github.com/settings/security-log>
>
> If you run into problems, please contact support by visiting the GitHub
> support page. <https://github.com/contact>
>
>
> Thanks,
> The GitHub Team
>
>
>
>
>
> --
> Lizhou Sha
> Class of 2018
>
>
>
>
> --
> Lizhou Sha
> Class of 2018
>
>
>
>
--0000000000009a77a6060ec06950
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote">=
<div dir=3D"ltr" class=3D"gmail_attr">On Thu, Jan 11, 2024 at 11:45=E2=80=
=AFPM Geoffrey Thomas <<a href=3D"mailto:geofft@ldpreload.com">geofft@ld=
preload.com</a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=
=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding=
-left:1ex"><div class=3D"msg2930223507031500885"><u></u><div><div>OK so is =
someone migrating this account to 2FA with a TOTP secret stored somewhere?<=
br></div><div><br></div><div>I'm happy to do it and put the TOTP secret=
in AFS - but neither the password in /mit/debathena/Private/athena-github-=
sync nor the one in drugstore:/git/athena/private/github-password seem to w=
ork for me. Anyone know where the current password is, before I do a passwo=
rd reset?<br></div></div></div></blockquote><div>I think this password bein=
g out of sync matches my recollection, and we should reset it and update bo=
th these files. I think I ran into this "at some point recently-ish&qu=
ot; but don't remember dealing.=C2=A0</div><blockquote class=3D"gmail_q=
uote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,2=
04);padding-left:1ex"><div class=3D"msg2930223507031500885"><div><div></div=
><div><br></div><div>I can instead put the secret on zulu or drugstore with=
a backup in my personal password manager if anyone feels like AFS (+ norma=
l AFS backups) is not a good place for it.<br></div></div></div></blockquot=
e><div>If the plaintext password is in AFS I think putting the TOTP secret =
next to it is honestly no worse than our previous state.</div><div>=C2=A0</=
div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bor=
der-left:1px solid rgb(204,204,204);padding-left:1ex"><div class=3D"msg2930=
223507031500885"><div><div></div><div><br></div><div>On a side note:<br></d=
iv><div>- AFS on zulu seems to be wedged, which is blocking login because w=
e do an aklog (you can Ctrl-C it). Any harm in rebooting the box? (Do I nee=
d to coordinate with ops or whatever the equivalent team is now to set moni=
toring downtime?)<br></div></div></div></blockquote><div>I believe a reboot=
is totally fine without coordination.=C2=A0=C2=A0</div><blockquote class=
=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rg=
b(204,204,204);padding-left:1ex"><div class=3D"msg2930223507031500885"><div=
><div></div><div>- athenasnap@drugstore's shell is tcsh?? There looks t=
o be meaningful stuff in .bash_history, can we change this?<br></div></div>=
</div></blockquote><div>I believe this is puppet managed and we'd need =
to ask Ops. I have no objection to it being bash.=C2=A0</div><blockquote cl=
ass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid=
rgb(204,204,204);padding-left:1ex"><div class=3D"msg2930223507031500885"><=
div><div></div><div><br></div><div id=3D"m_2930223507031500885sig99062392">=
<div>--=C2=A0<br></div><div>Geoffrey Thomas<br></div><div><a href=3D"mailto=
:geofft@ldpreload.com" target=3D"_blank">geofft@ldpreload.com</a><br></div>=
</div><div><br></div><div>On Tue, Dec 5, 2023, at 9:19 PM, Alex Chernyakhov=
sky wrote:<br></div><blockquote type=3D"cite" id=3D"m_2930223507031500885qt=
"><div dir=3D"ltr"><div dir=3D"ltr"><br></div><div><br></div><div><div dir=
=3D"ltr">On Tue, Dec 5, 2023 at 8:52=E2=80=AFPM Geoffrey Thomas <<a href=
=3D"mailto:geofft@ldpreload.com" target=3D"_blank">geofft@ldpreload.com</a>=
> wrote:<br></div><blockquote style=3D"margin:0px 0px 0px 0.8ex;border-l=
eft:1px solid rgb(204,204,204);padding-left:1ex"><div><div><u></u><br></div=
><div><div>Ah, right, deploy keys can write these days, but you have to set=
them up per-repository, and you can't use the same SSH key for multipl=
e repositories, which is maybe annoying. (Or maybe scriptable.)<br></div><d=
iv><br></div><div>I <i>think</i> you can create a GitHub App, store the pri=
vate key on drugstore, and on each hook call, sign a JWT with that private =
key and use that to get a short-lived "installation access token"=
, which you can then use as a password for git+https with username "x-=
access-token": <a href=3D"https://docs.github.com/en/authentication/co=
nnecting-to-github-with-ssh/managing-deploy-keys#github-app-installation-ac=
cess-tokens" target=3D"_blank">https://docs.github.com/en/authentication/co=
nnecting-to-github-with-ssh/managing-deploy-keys#github-app-installation-ac=
cess-tokens</a> You can simplify this by installing a Git credential helper=
and pointing it at the private key. Looks like there are a few implementat=
ions of this already, e.g. <a href=3D"https://github.com/Avinode/git-creden=
tial-github-apps" target=3D"_blank">https://github.com/Avinode/git-credenti=
al-github-apps</a> and <a href=3D"https://github.com/uw-ipd/git-credential-=
github-app-auth" target=3D"_blank">https://github.com/uw-ipd/git-credential=
-github-app-auth</a>.<br></div></div></div></blockquote><div><insert the=
infamous mongodb comic strip><br></div><div>There's no way that'=
;s better than just storing the TOTP credentials for this user in some back=
up-enabled storage. We barely are succeeding in doing the debathena develop=
ment we're paid^Wvolunteering to do, let alone manage the infrastructur=
e to manage a github app we barely use.=C2=A0<br></div><blockquote style=3D=
"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-le=
ft:1ex"><div><div><div><br></div><div><br></div><div>But that GitHub docs p=
age also talks about machine users in the next section, so that makes it so=
und like it's reasonable to keep the machine user approach.<br></div><d=
iv><br></div><div>There's a handful of easy ways to do TOTP from the co=
mmand line e.g. <a href=3D"https://github.com/pyauth/pyotp" target=3D"_blan=
k">https://github.com/pyauth/pyotp</a> so we could keep the seed on disk (o=
n drugstore or demeter or even AFS) for whenever someone needs to log in in=
teractively.<br></div><div><br></div><div id=3D"m_2930223507031500885qt-m_-=
8760894771517475487sig99062392"><div>--=C2=A0<br></div><div>Geoffrey Thomas=
<br></div><div><a href=3D"mailto:geofft@ldpreload.com" target=3D"_blank">ge=
offt@ldpreload.com</a><br></div></div><div><br></div><div>On Tue, Dec 5, 20=
23, at 6:57 PM, Lizhou Sha wrote:<br></div><blockquote type=3D"cite" id=3D"=
m_2930223507031500885qt-m_-8760894771517475487qt"><div dir=3D"ltr"><div>I t=
hought this is the account that is used by Debathena git repo hooks to push=
from local copy to GitHub. I don't think GHA is appropriate in this ca=
se.<br></div><div><br></div><div><div>We can however explore whether we can=
use GitHub action to perform the pre-commit hooks for validation.<br></div=
><div><br></div><div><div>OAuth token is certainly a possibility, but doesn=
't it still require an account to issue those tokens in the first place=
?<br></div><div><br></div></div><div><br></div><div>I like the idea of keep=
ing the TOTP token on the build host or the Debathena git repo host (drug-s=
tore?). We can even keep it in a KeePass database, as KeePassXC comes with =
built-in TOTP capabilities. (Problem: are we comfortable installing KeePass=
XC on the repo host and allowing X-Forwarding??? Or is there a command line=
thing that can do TOTP?)<br></div><div><br></div><div>Best,<br></div><div>=
Lizhou<br></div></div></div><div><br></div><div><div dir=3D"ltr">On Tue, De=
c 5, 2023 at 5:19=E2=80=AFPM Geoffrey Thomas <<a href=3D"mailto:geofft@l=
dpreload.com" target=3D"_blank">geofft@ldpreload.com</a>> wrote:<br></di=
v><blockquote style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(2=
04,204,204);padding-left:1ex"><div><div><u></u><br></div><div><div>GitHub h=
as pretty good support these days for automation through GitHub Actions and=
OAuth tokens and such, without needing an actual account. What is this acc=
ount doing / can we migrate it to GHA?<br></div><div><br></div><div id=3D"m=
_2930223507031500885qt-m_-8760894771517475487qt-m_2288010974555349326sig990=
62392"><div>--=C2=A0<br></div><div>Geoffrey Thomas<br></div><div><a href=3D=
"mailto:geofft@ldpreload.com" target=3D"_blank">geofft@ldpreload.com</a><br=
></div></div><div><br></div><div>On Tue, Dec 5, 2023, at 5:39 PM, Lizhou Sh=
a wrote:<br></div><blockquote type=3D"cite" id=3D"m_2930223507031500885qt-m=
_-8760894771517475487qt-m_2288010974555349326qt"><div dir=3D"ltr"><div>What=
do?<br></div><div><br></div><div><div dir=3D"ltr"><div>---------- Forwarde=
d message ---------<br></div><div>From: <b dir=3D"auto">GitHub</b> <span di=
r=3D"auto"><<a href=3D"mailto:noreply@github.com" target=3D"_blank">nore=
ply@github.com</a>></span><br></div><div>Date: Tue, Dec 5, 2023 at 2:21=
=E2=80=AFPM<br></div><div>Subject: [ACTION REQUIRED] Your GitHub account, a=
thena-github-sync, will soon require 2FA<br></div><div>To: Athena Github Sy=
nchronization Robot <<a href=3D"mailto:athena-github-sync@mit.edu" targe=
t=3D"_blank">athena-github-sync@mit.edu</a>><br></div></div><div><br></d=
iv><div><br></div><p>Hey athena-github-sync!<br></p><p><br></p><p>We're=
reaching out to let you know that, as announced last year, we have officia=
lly begun requiring users who
contribute code on GitHub.com to have two-factor authentication (2FA) ena=
bled.<br></p><p>Your account meets this criteria, and you will need to enro=
ll in 2FA within 45 days, by January 19th, 2024 at 00:00 (UTC). After this
date, your access to GitHub.com will be limited until you enroll in 2FA. =
Enrolling is easy, and we support several
options, starting with TOTP apps and text messages (SMS) and then adding =
on passkeys and the GitHub Mobile
app.<br></p><p><a href=3D"https://github.com/settings/two_factor_authenti=
cation/setup/intro" target=3D"_blank">Click here to enroll in 2FA</a>.<br><=
/p><p>Making the software supply chain more secure is a team effort, and we=
can't do it without you. Your enrollment in
2FA is an impactful step in keeping the world's software secure. If y=
ou want to learn more about this change,
please take a look at our <a href=3D"https://docs.github.com/authenticati=
on/securing-your-account-with-two-factor-authentication-2fa" target=3D"_bla=
nk">documentation about the program</a>.<br></p><p>To see this and other se=
curity events for your account, visit <a href=3D"https://github.com/setting=
s/security-log" target=3D"_blank">your account security audit log.</a><br><=
/p><p>If you run into problems, please contact support by visiting <a href=
=3D"https://github.com/contact" target=3D"_blank">the GitHub support page.<=
/a><br></p><p><br></p><div>Thanks,<br></div><div>The GitHub Team<br></div><=
p><br></p><p><br></p></div><div><br></div><div><br></div><div><span>--</spa=
n><br></div><div dir=3D"ltr"><div dir=3D"ltr"><div>Lizhou Sha<br></div><div=
>Class of 2018<br></div></div></div></div></blockquote><div><br></div></div=
></div></blockquote></div><div><br></div><div><br></div><div><span>--</span=
><br></div><div dir=3D"ltr"><div dir=3D"ltr"><div>Lizhou Sha<br></div><div>=
Class of 2018<br></div></div></div></blockquote><div><br></div></div></div>=
</blockquote></div></div></blockquote><div><br></div></div></div></blockquo=
te></div></div>
--0000000000009a77a6060ec06950--
