Because otherwise I will need to set up a different way of logging in to authenticate on every computer. I’m using ssh for every git server. How do you authenticate, with a different access token for each git server in ~/.gitconfig?
How would they get my private key? I mean if they already have access to my private key on my computer then I have much bigger problems than them having access to the anyway public git repos.
Perhaps I’m misunderstanding the thread model you have, but isn’t ssh the standard way of accessing git repos because it is so much more secure compared to a username and password?
They can impersonate you and push code into the repos in your name with a high likelyhood of you not noticing it.
The typical hobby dev machine isn’t particularly secure and for sure less secure than the typical server. Accessing everything from there with a single key is a pretty gaping security hole IMHO.
There seems to be this common misconception that ssh keys are more secure than passwords, but that is only true when you use really weak passwords that you keep in your head instead of a password manager.
If you want to actually increase your security then you need to set up a second factor auth with a seperate device.
Edit: the security is essentially the same, but having one password every machine vs individual ssh keys seems like a huge advantage to me. Also ssh means you don’t ever accidentally allow read access that you don’t mean to.
Well, the situation in this case seems to be the exact opposite, i.e. reusing the same SSH key for multiple repos Vs. being easily able to have different passwords for different repos with a password-manager.
Why the need to push via ssh? I am genuinely wondering, since you can easily push without having that enabled at all.
That’s an odd question as ssh is very convenient and secure compared to https.
Convenient, yes. But if used like that quite insecure.
Oh, no. It’s more secure than https if done properly (i.e. backed by hardware key and/or a quality password) I’d say.
Because otherwise I will need to set up a different way of logging in to authenticate on every computer. I’m using ssh for every git server. How do you authenticate, with a different access token for each git server in ~/.gitconfig?
Ok, I understand that this is a bit inconvenient, but you can use a password manager for the required git push logins.
But you are not concerened that someone compromising your ssh keys gets full access to all your repos?
How would they get my private key? I mean if they already have access to my private key on my computer then I have much bigger problems than them having access to the anyway public git repos.
Perhaps I’m misunderstanding the thread model you have, but isn’t ssh the standard way of accessing git repos because it is so much more secure compared to a username and password?
They can impersonate you and push code into the repos in your name with a high likelyhood of you not noticing it.
The typical hobby dev machine isn’t particularly secure and for sure less secure than the typical server. Accessing everything from there with a single key is a pretty gaping security hole IMHO.
There seems to be this common misconception that ssh keys are more secure than passwords, but that is only true when you use really weak passwords that you keep in your head instead of a password manager.
If you want to actually increase your security then you need to set up a second factor auth with a seperate device.
Huh? ssh is much more secure than https.
Edit: the security is essentially the same, but having one password every machine vs individual ssh keys seems like a huge advantage to me. Also ssh means you don’t ever accidentally allow read access that you don’t mean to.
Well, the situation in this case seems to be the exact opposite, i.e. reusing the same SSH key for multiple repos Vs. being easily able to have different passwords for different repos with a password-manager.
How would you have different passwords for different repos?
On different forges, which is what OP was talking about.