git do it right + SSH to linux server

[Costas]

Beginning August 13, 2021, will no longer accept account passwords when authenticating Git operations and will require the use of token-based authentication. ref


clean up previous configuration

the removal process described is for minimal/portable versions, if you used the complete (installer), please uninstall it from Control Panel and check the locations described below.

%USERPROFILE%

delete any .git*.* file, possible you want to backup any customization done in .gitconfig example

[core]
    editor = 'C:/Program Files/notepad/notepad++.exe' -multiInst -notabbar -nosession -noPlugin
[init]
    defaultBranch = main

go to Control Panel > Credentials Manager > Windows Credentials
remove anything has to do with git

go to Control Panel > Advanced system settings > Advanced > Environment Variables
remove from path variable where the git path is currently exist.


install the new

1-
download MinGit-2.32.0-busybox-64-bit.zip by
https://github.com/git-for-windows/git/releases/tag/v2.32.0.windows.1

2-
extract it to c:\git

3-
go to Control Panel > Advanced system settings > Advanced > Environment Variables
add to path variable the c:\git\cmd.

4-
set the needed for git configuration to %USERPROFILE%\.gitconfig

git config --global user.email "test@microsoft.com"
git config --global user.name "test"

5-
go to a temp folder, and clone a repo of yours, ex.

git clone https://github.com/pipiscrew/bootstrap-selector.git

alter a file, then try commit & push ex.

git add .
git commit -m "test"

//please make sure a branch \main/ exists, possible is \master/ or however you call it the time you create it. Copy the HEAD BRANCH property.
//git remote show origin

git push -u origin main

6-

choose Personal access token, afterwards will prompt you to enter the token you generate from github account settings.

7-
what happened now (?), at

%USERPROFILE%

is only the .gitconfig

at Control Panel > Credentials Manager > Windows Credentials, entry added

if you are behind firewall, white list :

git\mingw64\libexec\git-core\git-credential-manager.exe
git\mingw64\bin\git-http-fetch.exe
git\mingw64\bin\git-http-push.exe
git\mingw64\bin\git-remote-https.exe
git\usr\bin\sh.exe

---

Exclude

Github - A collection of .gitignore templates - https://github.com/github/gitignore

csharp .gitignore

# git ls-files --others --exclude-from=.git/info/exclude
# Lines that start with '#' are comments.
# For a project mostly in C, the following would be a good set of
# exclude patterns (uncomment them if you want to use them):
# *.[oa]
# *~
# User-specific files
*.snk
*.suo
*.user
*.sln
*.dll
*.rar
*.zip

# Build results
[Bb]in/
[Oo]bj/


# Windows image file caches
Thumbs.db
Desktop.ini

# Recycle Bin used on file shares
$RECYCLE.BIN/
**/.vs
**/*-.lock.json
*.nugetreferenceswitcher
dist/

--

you can define .gitignore through three different ways

1-
Add the a .gitignore to your commit (so will available at branch) if you stage it.

2-
In each repository there is a folder named .git
inside there, there is a file called exclude

.git\info\exclude

There you can define the ignore rules as .gitignore.

3-
Put .gitignore for global use, execute

git config --global core.excludesfile "%USERPROFILE%\.gitignore"

This will result an entry in your .gitconfig

[core]
    excludesfile = {path-to-home-dir}/.gitignore

 

[Costas]

in general and git SSH

the rule - server has the public key, client has the private key

So you have a key pair, generated by PuTTY and you want to use it for a git SSH connection and you getting

Permission denied (publickey)

Open the PUTTYGEN.EXE and import the private key, then Conversions > Export OpenSSH key.

Copy the OpenSSH (private) key file we generated^ to this folder
%userprofile%/.ssh/
with filename (yes without extension)
id_rsa

go and clone the repo, all will be fine.

---

To generate a keypair you can use
PuTTY
or the windows10 buildin (OpenSSH suite)
C:\Windows\System32\OpenSSH\ssh-keygen.exe

OpenSSH is SSH Certificate, a step up from public key authentication.

OpenSSH is the de facto standard implementation of the SSH protocol. If PuTTY and OpenSSH differ, PuTTY is the one that's incompatible.

They both store an "RSA key pair for version 2 of the SSH protocol" and can be converted interchangeably; source

while importing key from ssh-keygen to PuTTY

​

---

The problem coming when you have to authenticate multiple hosts... In short :
create %userprofile%/.ssh/config

( for safety put the private keys to different place no to .ssh folder!! )

Host 10.0.0.65
HostName 10.0.0.65
User tesla
IdentityFile C:\xx\hi.bmp
IdentitiesOnly yes

Host git.com
HostName git.com
User habanero
IdentityFile C:\xx\test_git.txt
IdentitiesOnly yes

and adjust the needed.

reference :
https://www.fearofoblivion.com/Using-ssh-with-multiple-identities
https://gist.github.com/oanhnn/80a89405ab9023894df7
youtube.com/watch?v=jJ_NDOm7WKk
https://jadaptive.com/openssh-certificate-cheat-sheet/
If you’re not using (OpenSSH) SSH certificates you’re doing SSH wrong
https://serverfault.com/a/198691
Generating a new SSH key and adding it to the ssh-agent - never liked agents..

 

[Costas]

using PuTTY to generate key pair and use it on server

When user clicks Generate [1] a public key appear to textbox [2], user has to save the
[4] private key (aka id_rsa for putty id_rsa.ppk)
[3] public key (aka id_rsa.pub for putty id_rsa_pub.ppk)

[6] always use >= 2048

The private get held by the user and the public key goes to the server

The public key on textbox [2] is :

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXKjN+ssfUhm7p0ayNmyEFf8pI2bUlzolk58yA/5jRVN7zj7mBeiBxpNh222/5D9icoZWv62qKxlhPUAc5s8sbX6jlCv4TKv83pG+tSw+3GCB9cpD2WYatrKEHKAkfI+2vY9WBF32jZQ43x8/fBstfqG7UXOnuz0q1ZlWWyIkFu0hM1n/1i50Mp2EOG4my+RThPLTqlb850Qlxn2YOJ9KoNRNJUE4cixURTlWrkqr2zqf1mG5zBtcRifCTB0+OfJHgEwu06fCuGjsFjBsFrekPq08xCrRwXAv8YnDI5C230A6J0MP81UB11oS+Xno6TNNbQ8Gh+xUohyDM8NmWG9Lj rsa-key-20221105

while the raw id_rsa.pub is :

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20221105"
AAAAB3NzaC1yc2EAAAADAQABAAABAQDXKjN+ssfUhm7p0ayNmyEFf8pI2bUlzolk
58yA/5jRVN7zj7mBeiBxpNh222/5D9icoZWv62qKxlhPUAc5s8sbX6jlCv4TKv83
pG+tSw+3GCB9cpD2WYatrKEHKAkfI+2vY9WBF32jZQ43x8/fBstfqG7UXOnuz0q1
ZlWWyIkFu0hM1n/1i50Mp2EOG4my+RThPLTqlb850Qlxn2YOJ9KoNRNJUE4cixUR
TlWrkqr2zqf1mG5zBtcRifCTB0+OfJHgEwu06fCuGjsFjBsFrekPq08xCrRwXAv8
YnDI5C230A6J0MP81UB11oS+Xno6TNNbQ8Gh+xUohyDM8NmWG9Lj
---- END SSH2 PUBLIC KEY ----

comparison the textbox public key [2] vs file public key file [3]

the key on both situations are the same the only change is the prefix and suffix

ssh-rsa

required.

the tail not

rsa-key-20221105

on server side the user login with his system password and sets the public key :

#creates the folder
mkdir -p /home/*username*/.ssh

#creates the authorized_keys and give the needed permissions
cd /home/*username*/.ssh
touch authorized_keys
chmod 600 authorized_keys

#check the permissions
ls -al
#-rw-------

#copy the putty textbox [2] to authorized_keys file & save
sudo nano authorized_keys

#using PUTTY.EXE
treeivew -> On session adds the server IP + port
treeivew -> On connection > SSH > Auth > Credentials > Private key for authentication > browse and selects the private key generated by PuTTY [4]

lastly, clicking 'open' login to server without input any password.

in case the user defined a passphrase [5] on PuTTY, will still have to enter it. Passphrase encrypts the private key, they are two separate factors of authentication.

if for any reason we have a PuTTY private key and needed to generate the a OpenSSH compatible we load the private to PuTTY and go to Conversions > Export OpenSSH key.


generation of key pair with ssh-keygen

the ssh*.exe (OpenSSH suite) coming with windows10 by default to C:\Windows\System32\OpenSSH\

ssh-keygen.exe

and complete the steps

by default exports to
%userprofile%/.ssh/

lets see the public key

aha, ready to use to server... as some said

OpenSSH is the de facto standard implementation of the SSH protocol. If PuTTY and OpenSSH differ, PuTTY is the one that's incompatible.

automate login

using PuTTY to connect to server needed two inputs

1 ) login name

this can be adjusted under Connection > Data > Auto-login username

2) passphrase ( if you have )

we have to use PAGEANT.EXE comes with PuTTY, do a shortcut like
PAGEANT.EXE c:\private.ppk

and add it to run on windows startup, then on PuTTY.exe make sure you have checked the Connection > SSH > Auth > Attempt auth using Pagent

will ask the password once then never again for this windows session...

ssh-agent (OpenSSH suite) doing the same. Which one to use (?) depends how you connect to server.

Also you can check mRemoteNG which underneath uses PuTTY.

Integrating MRemoteNG With PuTTY
Setup mRemoteNG for AWS ssh access
Opening SSH to AWS-hosted Linux servers via mRemoteNG
Easily setup PuTTY SSH keys for passwordless logins using Pageant
OpenSSH for Windows

alternative
SuperPutty - is a frontend for PuTTY (requires PuTTY.exe)
KiTTY
bitvise - large setup, has input to input passphrase, no tested


simple generation of key pair with ssh-keygen and set public key to server

the ssh*.exe (OpenSSH suite) coming with windows10 by default to C:\Windows\System32\OpenSSH\

1. on windows side, insure there is no files in %userprofile%/.ssh/
2. open cmd and execute ssh-keygen press enter donot set passphrase. This will generate
   • id_rsa (private key)
   • id_rsa.pub (public key)
3. open the id_rsa.pub to a text editor copy to clipboard the content as is
4. connect to raspberry using the default password ( aka ssh -l root 192.168.1.155 )

execute

mkdir -p ~/.ssh
echo "your_copied_public_key" >> ~/.ssh/authorized_keys
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
exit

then you can connect from windows without enter any password as

ssh root@192.168.1.155

---

Windows 10 OpenSSH Equivalent of ssh-copy-id

#https://chrisjhart.com/Windows-10-ssh-copy-id/
#sample1
type $env:USERPROFILE\.ssh\id_rsa.pub | ssh 192.168.30.31 "cat >> .ssh/authorized_keys"
#sample2
type C:\x\id_rsa.pub | ssh 192.168.xxx.xxx "cat >> .ssh/authorized_keys"

generating a key pair with ssh-keygen is not compatible while trying to connect with PuTTY. User has to convert the ssh-keygen private key with PUTTYGEN.EXE > Conversions > Import Key

save the private key. The public key generated by ssh-keygen is already on the server (using the above powershell command and using the converted private key, working...

to sum up :
public key used on server (.ssh/authorized_keys) = has to be the format of (OpenSSH) ssh-keygen format
private key used for PuTTY connection = must be PUTTYGEN format
private key used for git etc. (aka %userprofile%/.ssh) = must be (OpenSSH) ssh-keygen format

ps : WinSCP accepts only PUTTYGEN format

 

[Costas]

download & install git
https://github.com/git-for-windows/git/releases/download/v2.42.0.windows.2/Git-2.42.0.2-64-bit.exe
or visit https://git-scm.com/download/win

git bash provides an emulation layer for a Git command line experience. Bash is an acronym for Bourne Again Shell. You can use some bash commands in Windows in GitBash. Git Bash still runs on Windows and not the Linux kernel that is shipped as part of WSL.
* ref - https://stackoverflow.com/a/67743518
* How to install WSL2 (Windows Subsystem for Linux 2) on Windows 10

* can run bashscript​

*proxy
all these enable user defined proxy only for current session (git-bash / cmd / powershell), for permanent use windows cpanel internet proxy!!

# git-bash
export http_proxy="http://yourproxy:yourport/"
export https_proxy="http://yourproxy:yourport/"
 
# if you are on CMD the same can be achieved by  (again is only for current session)
SET HTTP_PROXY=http://yourproxy:yourport/
SET HTTPS_PROXY=http://yourproxy:yourport/
 
#if you are on powershell
$env:HTTP_PROXY="http://yourproxy:yourport/"
$env:HTTPS_PROXY="http://yourproxy:yourport/"

if you work for enterprises you will need this - Git Credential Manager

transcrypt (git bash required due run bashscript)
home - https://github.com/elasticdog/transcrypt/releases

A script to configure transparent encryption of sensitive files stored in a Git repository. Files that you choose will be automatically encrypted when you commit them, and automatically decrypted when you check them out. The process will degrade gracefully, so even people without your encryption password can safely commit changes to the repository's non-encrypted files.

Transcrypt protects your data when it's pushed to remotes that you may not directly control (e.g. GitHub, Dropbox clones, etc.), while still allowing you to work normally on your local working copy. You can conveniently store things like passwords and private keys within your repository and not have to share them with your entire team or complicate your workflow. source

installation :
* download, from archive copy the bashscript "transcrypt" file to git dir at folder "git/cmd" (because this folder already in the PATH)

use :
* when you are on local repo root, contains the plain passwords, use
(setup once) transcrypt -c aes-256-cbc -p 'yourpassword'
this secure any file has the extension *.key (any *.key file will committed encrypted).
create .gitattributes edit to have
//* text=auto
(manual) declarative protect

alternatives :​

transcrypt is in the same vein as existing projects like git-crypt and git-encrypt​

Secrets OPerationS - YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP​

blackbox - store secrets in Git/Mercurial/Subversion​