I use TFS for source control and when I use git command line from new machine, I need to save credentials manager manually. Otherwise, I receive "Authentication Failed"
Is there alternative than pre-defining credentials in credential manager?
Current case from CentOS 7:
The Git Credential Manager which is just used to provide security Git credential storage. It's ok to pre-defining credentials in credential manager.
However for macOS and Linux, instead of using credential manager,
We recommend using SSH keys to authenticate to Azure DevOps,
not a credential manager.
SSH public key authentication works with a pair of generated encryption keys. The public key is shared and used to encrypt messages. The private key is kept safe and secure on your system and is used to read messages encrypted with the public key.
More details please take a look at our official tutorial--Use SSH key authentication
Update
Besides, you could also use PAT token to access git repositories.
To authenticate with the PAT while using Git, you can use it as the password. The username can be anything, since your identity is identified with the PAT. For example:
Username: anything
Password:
Or:
git clone https://anything:<PAT>#dev.azure.com/yourOrgName/yourProjectName/_git/yourRepoName
More details please take a look at this link.
As for how to use PAT, you could refer this -- Authenticate access with personal access tokens
Note: This is only available with TFS2017 version and above. Besides, recommend you keep IIS Basic Authentication turned off when using Azure DevOps Server. When IIS Basic Authentication is enabled on your windows machine, it prevents you from using personal access tokens (PATs) as an authentication mechanism.
Related
As I read at Creating a personal access token
and Where to store the personal access token from GitHub? I understand that Git requires from the user on the local machine at first use to enter PAT and then stores it with Windows Credentials Manager if Windows or credentialStore for Linux/MacOS.
I created a Nodejs app that use nodegit(libgit2) to fetch or clone a git repository. For doing so, I need to provide a PAT. I tried to get the PAT from Windows Credentials Manager but couldn't find an npm package that works to do so.
What is the best practice to get the PAT for app use that use Git?
Should I get it as I said in the first paragraph from the local machine using Windows Credentials Manager or credentialStore, or should I prompt the user to enter the PAT once and save it? If so, how should I save it? It will be unsafe to save the PAT in plain text as is. And where the file which I'm saving the PAT should be located? C:/users/USER or in the repository directory and add the file to .gitignore?
Our corporate SFTP server uses combination of Key and User password for authentication. I am able to connect to SFTP using MobaXtern using private key as one of the setting and popup asked for user password.
However, in ADF V2 SFTP linked service , I don't see any option to provide password ( I can see ony pass phrase option) . The error I got is " No suitable authentication method found to complete authentication (password,keyboard-interactive)"
Where do you think I can provide password ?
error screenshot here
I think you are asking something similar to what is asked here .
https://social.msdn.microsoft.com/Forums/en-US/def80450-4b68-421b-81a6-b562cba6927c/data-factory-sftp-multifactor-authentication?forum=AzureDataFactory
At this time this scenario is not supported in ADF.
I have a case on my Ubuntu Linux 16.04 servers that I need your help with:
Current Scenario
A valid AD user logs in to the Ubuntu Linux server via SSH
That user adds his public key to ~/.ssh/authorized_keys for passwordless login
I disable/lock/delete the AD user to prevent him from logging in
The user was still able to login to the server, since his public key is still there!
Expected Scenario: If I disable/lock/delete a user's AD account (or his AD password expires), he shouldn't be able to login to any server with his AD account, even if his public key is installed there.
I have hundreds of servers, and it would be very difficult to track all the installed public keys.
Any solutions or workarounds for this without disabling PKI completely?
Note: I use PBIS Open to join my Linux servers to the AD domain.
The solution is to add this to /etc/ssh/sshd_config:
AuthenticationMethods "publickey,password" "publickey,keyboard-interactive"
This will require public key and then will ask the user to enter his AD password.
I am trying to implement 2FA for logins on my ubuntu machine to increase security alongside with an encrypted home folder. I've opted to use the google authenticator pam module as this also works offline. I've followed the documentation on google's GitHub repository https://github.com/google/google-authenticator/blob/f2db05c52884e4d6c3894f5fd2cf10f0f686aec2/libpam/README.md but it seems to me that you can easily by-pass the MFA as:
the settings are saved in a .google_authenticator file
the settings file contains your secret key that you can use to add the account to the google authenticator app to receive OTP tokens
the .google_authenticator file must sit outside of your encrypted folder as otherwise you can't login
therefore if you boot directly into a root shell (recovery). You can get the secret key from the file and thus bypass the second factor.
Therefore I have the following questions:
am I missing something in the google authenticator set-up?
are there any other solutions that would work offline and can not be so easily bypassed?
therefore if you boot directly into a root shell (recovery)
There is a reason for that, and the reason is as you mentioned above -> recovery.
So, you are not missing anything, except the scope of 2FA: yes it can be bypassed if you have direct access to the server, but it secures remote access (SSH) perfectly fine. Unfortunately there is no way to disallow that.
"Git" gurus, could you please help me in something
As far as I know, Git access could be manipulated through server user/group authentication. but is there is any way that I can use another access authentication regardless the OS server authentication?
I mean like SVN, Users only defined for SVN
You can use ssh, combined with Gitolite (an access control library in Perl, for Git): that will use the matching between ssh public key, and the username defined only for Gitolite.
See more at "How do programs like gitolite work?".
If you are using/installing Git hosting services like GitLab (ruby) or GitbLit (java), then the users can be defined in a dedicated database for those services.
In both cases, the user authentication doesn't rely on the OS.