-
Notifications
You must be signed in to change notification settings - Fork 17.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/wiki,cmd/go: document how to fetch private repos with Yubikey SSH authentication #49515
Comments
FYI: I currently have bypassed this by setting by env var
as hinted by the source here -> https://github.com/golang/go/blob/master/src/cmd/go/internal/get/get.go#L156 I think it should at least be added to the docs (or just changelog) to make it easier |
The The long-term solution for Yubikey authentication in particular might be to use the ssh |
That's a great point. Since all the private repos I'm using are based on the same auth, the thought had never crossed my mind, but I can see where this change came from. I think using the environment variable is a decent workaround for now, since it allows for using Yubikey SSH auth w/ Go 1.17 |
I did a bit more reading, and here's my suggestion (based on https://ldpreload.com/blog/ssh-control):
If you don't want to adjust your global
If you don't want to leave a connection open in the background indefinitely if you forget step (5), you could omit the Or:
|
@ckcr4lyf, please give the above a try and let me know if it works. (If so, perhaps I can add some more formal documentation on this configuration.) |
@bcmills , thanks so much for the response. I can confirm it works perfectly! I tested it with the latter option of a "temporary setup", and was able to fetch multiple private repos (for the same SSH auth) with no issues (including prompts). I tried the "permanent" solution w/ SSH config, and that also works great! I believe this is a viable solution, since it allows for secure SSH-auth (e.g. via Yubikey + pin) explicitly, which can further be terminated once the go operations are complete. Cheers, and thanks for the help (not sure if I should close the issue or not) |
Thanks for confirming! I'll leave this issue open for documentation — we certainly do want to support private repos that require two-factor authentication, and this setup and workflow is not trivial to figure out. |
here is a permalink to that line so it doesn't get lost when that file gets updated go/src/cmd/go/internal/get/get.go Line 156 in 0f3becf
|
@matloob, @samthanawalla: this issue should be a pretty straightforward writeup of the options discussed in #49515 (comment). |
From the changelog of Go 1.17, I see:
I use private repos with SSH and have correctly set up my
.netrc
and all. I use a yubikey with PIN for SSH authentication.Go 1.16 behavior
I try and get a lib / run
go mod vendor
, the git client will prompt me for my yubikey PIN in order to authenticate with the remote server, once I enter it correctly, it all works well. (EDIT: Probably the SSH client which git calls, but either way, it worked fine)Note: There are multiple prompts, I enter my pin for each one.
Go 1.17 behavior
I try and run go mod vendor or something, and it will fail with this:
I am 99% sure this is due to the change in Go 1.17 to disable "password prompts", since if I revert to Go 1.16 all works as expected.
I am able to use my Yubikey w/ PIN prompt for Git and other SSH stuff just fine. The changelog suggests using an ssh-agent for password-protected keys, but in my case, the key resides on my Yubikey, and I need to enter the pin in order to perform cryptographic operations with it. Since the key is not accessible, I cannot cache it within SSH agent. (Additionally, I do not want to cache my yubikey pin).
This change introduces in Go 1.17 seems like a nerf to security, since for SSH repos, it seems to force you to have an SSH key which is cached by ssh-agent.
If there is no way to disable this with a flag on my end or something, I think it should be reverted for Go 1.18, as @bcmills suggested it is being "given a try" in Go 1.17 - #44904 (comment)
The text was updated successfully, but these errors were encountered: