Github deprecating passwords?
I received some emails related to new authentication requirements when working on my Github projects after the holidays.
It’s odd because my workflow involves Github Desktop cloning with Pycharm opening the project through the clone. I can commit and push from within Pycharm but I don’t have GitHub credentials in it. It doesn’t look like I got these emails because of my specific development process.
The documentation specifically says GitHub Desktop is unaffected since it doesn’t prompt for SMS two-factor authentication. This is because Oauth and Tokens are used in place.
Why do this?
If you follow Github's blog you'll recognize their goal of eliminating password use from 2019. Unfortunately tokens are another form of password so I'm not sure if this is really progress or just a step along the path to fully eliminating them. The difference is extensive: passwords give you blanket full access to your account and all repos but a token can be restricted to certain functions and exposure, like only accessing repos for example. This is certainly progress overall but it doesn't quite eliminate password use.
LARG*feed?
My main honeypot project is public so downloading is unauthenticated and therefore should be unaffected. However my threat feed project is private so is likely the inspiration for Github’s emails.
The problem is my private repository for the threat feed server backend. The development process is fine but downloading updates to LARG*feed needs to change. On the LARG*feed server I need to update the git origin URL:
git remote set-url origin git@github.com:tbiens/largfeed.git
I didn’t have SSH keys generated either so that’s an easy fix:
ssh-keygen -t rsa
Now I can grab a copy of id_rsa.pub contents from the Github repo settings -> deploy keys
I set up a new deploy key as read-only and put my SSH public key there.
When I run git pull on the LARG*feed server it now pulls via SSH RSA keys instead of using password-based authentication. Hopefully this is all I need to do.
LARG*feed
If you’re curious what about the recent updates I added a whitelist preventing any of our own addresses, Microsoft’s subnets, Google’s 172.217.0.0/16 subnet, and the DNS TLD servers. This way we never have these being added to the list. Immediately preventing future spoofing problems.
The current database contains 482,657 unique IPs that have attacked LARG*net since the beginning of the project. The current threat feed has 82,404 unique IPs and each is blocked with high confidence.