Very mixed feelings on GitHub’s recent approaches to security. Tighter security measures are great, but deprecating password authentication on git operations seems obtuse to me. What if I want to push a change from a machine that’s not mine and doesn’t have my registered SSH key on it? I don’t have a Yubikey or anything similar nor do I intend to get one in the foreseeable future.
I’m with you on this. How on earth are one-off login events supposed to work? I want nothing about me logging on to be stored on that device or account other than, for example, the code I download. Maybe I’m missing something but the search I just did suggested connecting my phone via bluetooth, which is also not an option.
I just got a repo token and do git add remote origin https://REPO_TOKEN@github.com/username/repo.git and say bye-bye to usernames and passwords. Easiest pushes and pulls ever with private, public or org repos.
But now you have the only credential, the REPO_TOKEN in plaintext in your .git/config file. That’s even worse.
Edit: typo
That’s how a lot of tools work. Your maven password is in .m2/settings.xml
Your ssh private key is in .ssh/id_rsa
The only person with access to these files should be you. If anyone else does then your machine is compromised
