Handling github tokens more easily and securely

12 views
Skip to first unread message

Big Bad Bob

unread,
Jan 25, 2021, 4:02:56 PM1/25/21
to
My hack for this post is simple: a way to conveniently handle github
tokens.

Github is about to change their policies to REQUIRE you to use an
alphabet soup generated token in lieu of passwords that are easy to
remember.

Rather than encourage good security practices, like using easy to
remember yet difficult to brute-furce "correct+horse-battery/staple"
kinds of pass PHRASES, you must NOW generate one of many tokens and
assign permissions to it.

OK if i could use multiple PASS PHRASES like that it would be
convenient, especially if you could assign it to specific repos. Then
saving it on a customer machine wouldn't be an issue.

HOWEVER... since I use my _own_ github ID for a lot more than "just my
own stuff" (like being able to get/update source for a customer's
private github repo) it is highly likely that I'll be using "machines
that are not mine" to make updates with.

So I realy need an easy way to do this.

However, I came up with something rather fun, using a standard simple
encryption program [in this case one that I wrote]

In essence, you first create an encrypted file containing your thing
with a symmetrial key, generated by a pass phrase. The FreeBSD 'crypt'
or 'enigma' utility can do this, but these aren't available on the Linux
distros that I use...

Not to worry, I have my _OWN_ utility which I'm about to go open source
with (free to copy, use, plagiarize, whatever) as soon as I finish
tweeking some of the features and doing some code cleanup. It's not as
good as existing encryption algorithms, but it _IS_ different. It isn't
likely to EVAR have a back door capability, either.

I did consider gpg and openssl, but these seem to be WAY too complicated
to set up a simple "prompt me for a pass phrase" decrypt of stdin to stdout.

In short, you must FIRST create the encrypted file. I'll use my
application as an example.

sftcrypt -P >~/encrypted.github.data

then you type in or paste the key and use CTRL+D for 'end of file'

This program will prompt you for a pass phrase, hash it, and use that as
hash as a 128-bit symmetric key to encrypt the data with. It's an
imperfect hash, though, so you should have a reasonably long pass phrase
to avoid too many key bits being guessable. >16 chars is good enough I
think.

Next you would set up a shell script, something like this:

#!/bin/sh
sftcrypt -d -P < ~/encrypted.github.data | xclip -selection clipboard

OK you'll have to install 'xclip' too - it's an X11 standard application
that lets you use the command line to assign text to the X11 clipoard.

Then, whenever you need your key, run this shell script, and it gets
pasted to the clipboard without writing it visibly or to a file.

[yes this is considerably more secure, and copy/pasta to a clipboard is
almost MANDATORY for these github alphabet soup tokens]

Until they gain a level of "clue" over at github, this should get you
past the MAJOR inconvenience of clipping the pass phrase from a secure
application, or [WORSE] from a PLAIN TEXT FILE. Ew.


This took quite a bit of effort, updating my encryption program and
fixing any bugs in it that were caused by differences between clang and
gcc [no joke this happened, probaly qsort] but also improving it, giving
it the ability to prompt, and then making sure it works on an RPi as
well as amd64 Linux.


For those running FreeBSD, do a 'man crypt' and you'll see the 'crypt'
application's information. it is possible you can use this in lieu of
my encryption program. Or, you can use a different one. It just needs
to be able to prompt for a pass phrase, and read from stdin, and write
to stdout, using a symmetric key generated from the pass phrase.

[alternately use gpg and password protect your key store, but that's too
complicated for me to think about right now, heh]


additional OBhack, in case that wasn't enough:

building an antenna coil using popsicle sticks, aka "craft sticks". Had
some in a box laying around, needed to wind an antenna inductor for a
WWVB receiver I'm trying to build. With 4 thumbtacks, 4 popsicle
sticks, and several feet of wire wrap wire I initially did 10 turns
around the corners and managed 30 microhenries, which pretty closely
resonates with the 60Khz carrier with a 0.22 uF capacitor across it. I
cheated and used two 0.47uFs in series since I have a lot of them, but
it's still pretty close and the bandwidth wide enough on the input to
handle it. Downside, it picks up a LOT of noise, but the front end of a
receiver is typically like this anyway. I've managed to find some coil
forms and 28 gauge wire to build proper tunable inductors with, and this
ought to make things a bit better. Still am picking up more noise than
signal, with a gain of about 70db for RF. May need to go 'superhet' to
get this to work, although in this state I could actually use Op Amp
active filters.

In any case don't be afraid to wind your own inductors. if you have a
device that can measure them (found one a while back, a component tester
based on an AVR microcontroller, similar to something I wanted to do but
smaller and cheaper so I bought it) then you can experiment. Just
remember NOT to scramble-wind nor to wind back and forth - this screws
up the inductance big time. Wind one way, send wire to other end, wind
next layer same direction. Always. If you must, terminate each layer
and wire them up at the end so they're in series. In any case, the wire
isn't all that expensive and you may find that you CAN NOT FIND THE
RIGHT PARTS no matter how hard you look. I was lucky to find the
adjustable cores...

---

(aka 'Bombastic Bob' in case you wondered)

'Feeling with my fingers, and thinking with my brain' - me

'your story is so touching, but it sounds just like a lie'
"Straighten up and fly right"

Eli the Bearded

unread,
Jan 25, 2021, 6:36:24 PM1/25/21
to
In alt.hackers, Big Bad Bob <BigBadBob-at...@testing.local> wrote:
> Github is about to change their policies to REQUIRE you to use an
> alphabet soup generated token in lieu of passwords that are easy to
> remember.

I guess I had not been paying attention, because I had not heard that.

https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/

> HOWEVER... since I use my _own_ github ID for a lot more than "just my
> own stuff" (like being able to get/update source for a customer's
> private github repo) it is highly likely that I'll be using "machines
> that are not mine" to make updates with.

Accounts are free. Good practice to have multiple accounts. I have three
active ones now, $WORK, $RESUME, $PERSONAL, and at least three inactive
ones from previous jobs.

> So I realy need an easy way to do this.
>
> However, I came up with something rather fun, using a standard simple
> encryption program [in this case one that I wrote]

I've used vault (https://www.vaultproject.io) running in "dev" mode
as an in-memory password cache. Each reboot I need to restock it with
passwords from an encrypted file, then I can run a simple script to
copy them to my clipboard.

setpw:
#!/bin/sh
unset VAULT_CAPATH
export VAULT_ADDR=http://127.0.0.1:8200
printf "Enter password for $1: "
stty_orig=$(stty -g)
stty -echo
read value
stty $stty_orig
vault kv put secret/"$1" "value=$value"
if [ $? != 0 ] ; then
echo "is vault running?"
echo " vault server --dev &"
echo " export
VAULT_TOKEN=s.ZQVdL74r4gjtGNZNk21jhdqc # eg"
exit $?
fi

getpw:
#!/bin/sh
unset VAULT_CAPATH
export VAULT_ADDR=http://127.0.0.1:8200
vault kv get -field=value secret/"$1" | xclip -i
exit $?

The "unset VAULT_CAPATH" stuff was needed for me when I had a work
vault that required that varible.

It's helpful to store the entire shell command to set a password in
the encrypted file:

echo not-secret | setpw testentry
not-secret
if [ $? != 0 ] ; then
echo "WHOA! is vault running?"
exit $?
fi

echo 5ebe2294ecd0e0f08eab7690d2a6ee69 | setpw user
echo cd5c569173452f8438cf9bbe84d811fa | setpw root

If you want to pipe it so sh, or cut-n-paste lines. Standard bash
does not save lines that start with whitespace to history, hence
extra indent. Current $JOB has made it very easy for me to use a single
password for everything, so I haven't had that running lately. It was a
lifesaver about two jobs ago.

> I did consider gpg and openssl, but these seem to be WAY too complicated
> to set up a simple "prompt me for a pass phrase" decrypt of stdin to stdout.

While openssl has a crypt function, it is in fact a very poor encryption
and is not recommended.

> OK you'll have to install 'xclip' too - it's an X11 standard application
> that lets you use the command line to assign text to the X11 clipoard.

It's just so handy, isn't it?

> Until they gain a level of "clue" over at github, this should get you
> past the MAJOR inconvenience of clipping the pass phrase from a secure
> application, or [WORSE] from a PLAIN TEXT FILE. Ew.

I like my encrypted local files, but needing to decrypt frequently would
be a pain.

ObHack:
You can "decode" MD5 hashes by entering the hash string in a search
engine.

OkayForRealObHack:

I needed a strap of metal similar to the ones used in door bars:
_________
/ /|
/_______ / |
_____________| | | |________________
/ | / | / /
/ () () | / | / () () /
/_______________|/ |________________/

That's sized for a 2x2 nominal (1.5"x1.5") wood bar, with two fastening
screws on each side. I needed it to be fairly strong, so I couldn't just
pick some material I could easily bend by hand. I went with 1" x 1/8"
aluminum, and improvised a bending brake for this. In my 6" wide vise, I
put magnetic jaw inserts (these are widely sold[*]) for holding pipe that
have right angles, side view:

.-----._. ._.-----.
/___. | | .___\
| / \ |
| / \ |
| \ / |
| \ / |
`----' `----'

I initially tried using square rod (key stock) to mesh with that for
making a bend, similar to the bending brake vice inserts that are not
widely sold[**]. I found that didn't work well. What did work was having
the jaw inserts extend out of the side of the jaw and bending around
them.

https://i.imgur.com/kck38Sn.jpg

After that, drilling the holes to mount it was very easy.

I'm using it on the underside of my kitchen table with a piece of 2x2 to
help steady the fold up leaves. The table top was long ago raised an
extra inch and half above the skirt and legs, I don't know why, but I
suspect to give space for a pull out cutting board. I'm using that gap
to slide my 2x2 in, and the strap of metal to hold it fast to the center
board instead of just acting like a lever to pull the table top off of
the legs and skirt. Probably at the same someone modified it to be a
"grain bin table" with round bottom drawers at either end.

[*] Widely sold: available in my local hardware store.
[**] No widely sold: not available in my local hardware store.

Elijah
------
needed to use short screws to not go through the table top

Big Bad Bob

unread,
Jan 26, 2021, 5:17:34 PM1/26/21
to
On 2021-01-25 15:36, Eli the Bearded wrote:
>> However, I came up with something rather fun, using a standard simple
>> encryption program [in this case one that I wrote]
>
> I've used vault (https://www.vaultproject.io) running in "dev" mode
> as an in-memory password cache. Each reboot I need to restock it with
> passwords from an encrypted file, then I can run a simple script to
> copy them to my clipboard.
>

I just uploaded the 'sftcrypt' utility to github:
https://github.com/bombasticbob/SFTCrypt

Still not quite ready for windows, but cygwin should work ok.

It's very simple. Use 128 bit key to generate a unique set of
pseudo-random sequences, build a translation table. Then use CRC-like
methods to combine a window of bytes into a value to pick the output byte.

it's also extremely fast for very large data. Being a stream cipher you
won't have to pad it with anything, either.

>> I did consider gpg and openssl, but these seem to be WAY too complicated
>> to set up a simple "prompt me for a pass phrase" decrypt of stdin to stdout.
>
> While openssl has a crypt function, it is in fact a very poor encryption
> and is not recommended.

yes, but "something" is better than plain text.

>> OK you'll have to install 'xclip' too - it's an X11 standard application
>> that lets you use the command line to assign text to the X11 clipoard.
>
> It's just so handy, isn't it?

ack. FYI I used 'xclipboard' (related util) as sample code to write my
own clipboard stuff.

>> Until they gain a level of "clue" over at github, this should get you
>> past the MAJOR inconvenience of clipping the pass phrase from a secure
>> application, or [WORSE] from a PLAIN TEXT FILE. Ew.
>
> I like my encrypted local files, but needing to decrypt frequently would
> be a pain.

well, with github you can tell it to re-use the latest credentials and
have it time out after a period.

this sets it to 15 minutes:

git config credential.helper "cache --timeout=900"


ObHack: I once needed to make a test camera that could record eye
motion, to test software for a client (an optometrist). I had purchased
a USB camera that was about the same size as an empty toilet paper roll.
I inserted an led into it for illumination, put the camera on one end,
and a loupe on the other as a lense. With some hackish adjustments, I
was able to get clear eyeball pictures that were in focus. Later this
software was used in the real machine and went into clinical trials. It
never became a product, though. Not sure why.
Reply all
Reply to author
Forward
0 new messages