Alternate GitHub Deployment Options Since New SSH Rules-CodePudding

I've been using GitHub for a good while on private repos without issue until last week, GitHub upped the minimum requirements on SSH encryption.

Thing is, I'm running an older copy of OpenSSH, on an older OS release, and TL;DR, I can't upgrade it to support the new standard (at least, not yet).

There are FTP actions available as an alternative, but apparently GitHub Actions don't use a consistent IP space and I can't lift 100% of IP restriction to make that go either (nor do I feel great about that, for obvious reasons).

Short-term (without just migrating everything), are there other options for keeping GitHub that I'm just overlooking?

CodePudding user response：

You could use a credential helper, if you can get it installed in your environment. The gh cli comes with one, but it's not a standalone binary so you may have issues getting it working in an older environment. There's also the Git Credential Manager. You can see full instructions for using these in GitHub's docs.

CodePudding user response：

You haven't specified what OS and OpenSSH version you're using, but if you're using OpenSSH 6.5 or newer, you can use an Ed25519 key (ssh-keygen -t ed25519) or if you're using OpenSSH 5.7 or newer, you can use an ECDSA key (ssh-keygen -t ecdsa). These will work for you if you got the message about using RSA keys with SHA-1.

However, if you're using something older, like OpenSSH 5.3 (say, because you're using CentOS 6), then you could try building the latest version of PuTTY and using that as your SSH client, which Git does support, via core.sshcommand or GIT_SSH_COMMAND.

You could also try using HTTPS with a token of some sort. GitHub has docuemntation about types of tokens you can use for automated deployments. However, that does require that you use a TLS library with support for TLS 1.2, which for OpenSSL, is 1.0.1 or later. The Git FAQ also explains how to use a credential helper to read from the environment. If you're on an OS like CentOS 5, which doesn't support TLS 1.2, then there really is no option, and you'll have to upgrade your system to a reasonably modern OS.

You should avoid FTP. FTP has a variety of functional problems, such as using different ports for a connection, and it also, due to implementation bugs, is extremely difficult to secure properly with TLS. As a result, it's not a secure way to transfer data, especially anything that you're planning to execute on your system.