Hub: Make "git push" work with 2FA

When you do git push, it's just regular git protocol stuff and hub doesn't do anything extra. I see you set up your repository clone URL over HTTPS, so that means you want username/password authentication instead of public key authentication via SSH. Of course, when you have 2FA enabled, your GitHub username & password is not enough to authenticate. You need to generate a Personal Access Token with the repo scope to use as "password" for your account for git push operations. Refer to GitHub help documentation for tips how to set this up.

I agree that this is what hub could help you do the first time when you set it up. Maybe in a future release it will help you set up your credential helper if you haven't done so yourself. Follow #464 for updates.

@mislav Too bad Google leads here instead of to the "GitHub help and documentation" you mentioned.

Maybe you should've posted a link.

@j3pic https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/

Yes, but: hub does interact with 2FA when running hub create so it's disconcerting that it does not do the same when running hub push

I'm not running hub. I'm using plain old git. In any case, my company's
DevOps team fixed my inability to push on our end.

On Sat, Apr 29, 2017 at 5:47 PM, ashander notifications@github.com wrote:

Yes, but: hub does interact with 2FA when running hub create so it's
disconcerting that it does not do the same when running hub push

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/github/hub/issues/822#issuecomment-298203660, or mute
the thread
https://github.com/notifications/unsubscribe-auth/AZUmVjzLlzD8cElQPYHWWzDuK8vUmK7hks5r09owgaJpZM4DlGm5
.

@j3pic https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/

It would be nice if that link included a link to create your token.

You have to generate an access token and use the access token instead the password.
For example:
$ git clone https://github.com/username/repo.git
Username: your_username
Password: your_token

Doc: https://help.github.com/en/articles/creating-a-personal-access-token-for-the-command-line

Yes please make it SIMPLE to commit with 2 factor. It s nice to add more security, but if is getting more complicated less people will adopt it...

Maybe I could receive a SMS when I am pushing, just like It does when I have login on the web interface of github ?

I think that after username and password input, a third prompt should ask for sms-code or auth-code.
Keep It Simple please.

Too many check boxes, I want to just do a git push, which one should i check?

Ans: The repo check box (which will also check the four sub-check boxes)

It would also be better if someone could mention exactly _which scopes_ I need for 2FA.

So annoying. Github forced me to enable 2FA to be able to publish a Github Action. I wish I could have my simple auth back, but I can't (Unless I unpublish my github action... maybe)

"Invalid username or password" is not an accurate or helpful error message.

Token is too long to remember. It is quite trouble to push the codes now.

@tengerye I agree, I think that a solution here could be to accept also the password followed by OTP (Google Authenticator).

I'm under Windows and was experiencing this isssue as well. I tried the "Personal Access Token" and it worked; however, I found it a little bit complicated. Then I found a Credential Catcher helper app for windows:
https://github.com/Microsoft/Git-Credential-Manager-for-Windows/releases

It first ask for your user and password, then the authentication token. The app creates automatically a "Personal Access Token" for you. Then it will use it each time that you push your code.

I am having the same issue as well. It would be nice if a more convenient workflow of git push is available when 2FA is enabled.

Perhaps the first push fails but an SMS is sent at this time. Then the second push could use the SMS code as the password? Sounds a little bit hacky though.

+1

+1

As someone said, it should ask for 2FA after password to keep it simple like when logging into web.

I think that this issue should be reopened.

+1

+1
It took me a while to understand that I didn't type the wrong password.

I think that this issue should be reopened.

I second that.

This is annoying; I was kind of led to 2FA when I joined my current organization. I tried to undo 2FA (to push updates without hassle) and it says,

If you disable two-factor authentication for your personal account, you may lose access to organizations you belong to.

Is there a workaround? Getting a token or an SMS-OTP every time one wants to push updates is not what a developer would want.

This is not an intuitive workflow for authentication. We don't need an access token to log in online, why would I expect it to be different from the command line?

Not to mention the error message remote: Invalid username or password. fatal: Authentication failed gives no indication of the actual problem.

It is so annoying. I have now tokens, ssh keys, passwords, googleauthenticatorpasswords and everything but I cant push anything now. It worked like a charm until I changed repository for another project and this is taking even more time thant the time I spent on the project itself.
Why is it so complicated to make an inital commit on an empty reposiitory????

Not to mention that creating a "Personal Access Token" (which are essentially a password as GitHub tells in the docs), essentially defeats the purpose of 2FA.

In other words: why should we have 2FA for the web, but no 2FA for the command line?

Moreover, AFAIK it's easy for organization to ensure 2FA for the team members... but how about managing somehow their personal access tokens (PATs)? Can team members just create PATs and thus defeat all 2FA security controls?

You can switch to SSH authentication as opposed to HTTPS and use a ssh key to bypass having to type access token. Just follow these steps (linux).

1. Create a ssh key pair: https://docs.github.com/en/github/authenticating-to-github/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-new-ssh-key
2. Make sure the keys pair has correct permissions:
   sudo chmod 600 ~/.ssh/id_rsa
   sudo chmod 644 ~/.ssh/id_rsa.pub
3. Add the public key to your github account: https://docs.github.com/en/github/authenticating-to-github/adding-a-new-ssh-key-to-your-github-account
4. Test the connection: https://docs.github.com/en/github/authenticating-to-github/testing-your-ssh-connection
5. Update the repository's authentication method to ssh: https://docs.github.com/en/github/using-git/changing-a-remotes-url#switching-remote-urls-from-https-to-ssh
6. You can now use 'git push' and never have to enter access token or username.

You can switch to SSH authentication as opposed to HTTPS and use a ssh key to bypass having to type access token. Just follow these steps (linux).

...

6. You can now use 'git push' and never have to enter access token or username.

Corporate proxy my friend :smiley:

Hi everyone, this turned to be a more general thread about authenticating git with GitHub in different environments and as such I don't feel like it belongs here in the hub repo, even though various google searches seem to lead here. Thank you to everyone who contributed their workarounds and advice! 🙇

Hub does not handle _anything_ about git authentication, so setting this up is left as an exercise to the user based on their environment, network, corporate restrictions, and other factors. No one solution will fit everyone's case.

Most people will be able to solve their 2FA-related issues around git push/pull by following the instructions on https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token