Default to using public key authentication (if any public SSH key is registered) #153
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dscho
force-pushed
the
limit-access-to-actor-auto
branch
from
f5aec9e
to
c4ad7c8
Compare
It is relatively easy to forget to limit access to the tmate session and accidentally make secrets accessible to anyone with an SSH client. Let's introduce a `limit-access-to-actor` mode that defaults to using SSH public keys registered with the actor's GitHub profile, if any, and fall back to using potentially unsafe tmate session that anybdy can connect to. This strikes a balance between security and ease of use. Signed-off-by: Johannes Schindelin <[email protected]>
The line shown by `action-tmate` with the `ssh` invocation assumes that either no public key authorization was enabled, or that there is only one private key present locally that `ssh` picks up by default. However, many developers use multiple, distinct private keys for distinct purposes, so that one compromised private key does not make _all_ of the hosts vulnerable that are accessible to the user. In such an instance, the private key must be specified explicitly via the `-i` option. The message shown by `action-tmate` is meant to be copy/paste'able, but for invocations requiring the `-i` option that is not true. We cannot _really_ make it completely copy/paste'able, but we can at least make it easier to copy/paste/edit the invocation. Signed-off-by: Johannes Schindelin <[email protected]>
dscho
force-pushed
the
limit-access-to-actor-auto
branch
from
c4ad7c8
to
4a5b6cf
Compare
It is very, very easy to start an action-tmate session and forgetting that secrets are made available that way that should be protected. For example, `actions/checkout` persists credentials by default, and if the tmate session is not secured, theoretically anybody could exfiltrate those credentials. Let's warn a lot louder about this and strongly encourage allowing authenticated access only. Signed-off-by: Johannes Schindelin <[email protected]>
Signed-off-by: Johannes Schindelin <[email protected]>
dscho
force-pushed
the
limit-access-to-actor-auto
branch
from
4a5b6cf
to
4d571a0
Compare
mxschmitt
approved these changes
Mar 15, 2023
|
Sounds like a new major version release candidate then. |
@mxschmitt Yes! Question is: how major. v4? Or could we say that, as semantic versioning goes, this only introduces new behavior, i.e. v3.15? |
|
Sorry for the late reply.
Fine for me as v3.15. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR intends to implement a less heavy-handed solution than suggested in #124: Instead of changing the default of
limit-access-to-actortotrue, it introduces a newautomode and makes that the new default. This mode will look for public SSH keys in the actor's GitHub profile, and use them if found, otherwise warn and continue without public key authentication.