481

git clone supports both HTTPS and SSH remote URLs. Which should I use? What are the advantages of each?

GitHub's docs don't make a recommendation either way. I recall in 2013 GitHub used to recommend SSH (archive link). Why was that?

Improve this question
2
  • 61
    Less configuration means easier, perhaps. Besides, some inferior operating systems don't even have SSH clients installed by default. Commented Jun 14, 2012 at 21:40
  • 1
    # Enabling SSH connections over HTTPS if it is blocked by firewall Test if SSH over the HTTPS port is possible, run this SSH command: $ ssh -T -p 443 [email protected] Hi username! You've successfully authenticated, but GitHub does not provide shell access. If that worked, great! If not, you may need to follow our troubleshooting guide. If you are able to SSH into [email protected] over port 443, you can override your SSH settings to force any connection to GitHub to run though that server and port. To set this in yo Commented Jan 18, 2018 at 5:18

7 Answers 7

Reset to default
301

GitHub have changed their recommendation several times (example).

It appears that they currently recommend HTTPS because it is the easiest to set up on the widest range of networks and platforms, and by users who are new to all this.

There is no inherent flaw in SSH (if there was they would disable it) -- in the links below, you will see that they still provide details about SSH connections too:

  1. HTTPS is less likely to be blocked by a firewall.

    https://docs.github.com/en/get-started/getting-started-with-git/about-remote-repositories#cloning-with-https-urls

    The https:// clone URLs are available on all repositories, regardless of visibility. https:// clone URLs work even if you are behind a firewall or proxy.

  2. An HTTPS connection allows credential.helper to cache your password.

    https://docs.github.com/en/get-started/quickstart/set-up-git#connecting-over-https-recommended

    If you clone with HTTPS, you can cache your GitHub credentials in Git using a credential helper. For more information, see "Cloning with HTTPS urls" and "Caching your GitHub credentials in Git."

Improve this answer
Sign up to request clarification or add additional context in comments.

14 Comments

Ah, so they recommend HTTPS simply so they don't have to document ssh-agent? Fair enough. Thanks!
@sarnold It probably has more to do with the volume of questions related to ssh-agent and public key management, and the number of corporate firewalls that allow outbound HTTP/HTTPS but not SSH.
I think that https makes it easier for people to get started since you don't have to do the whole generate/copy/paste ssh key business. Also it could be viewed as more secure from Github's perspective since an attacker who got your ssh password (or found a computer terminal you left open) would still have to know your Github password to push anything.
@kristi If the attacker finds that terminal before the password cache expires, wouldn't he still be able to push even if he don't know the password? The question is about the same if you use ssh-agent, the obvious difference being that you have to enter the password of the ssh key instead of your github password (and there seems no obvious setting for cache expiration). The idea of entering the github password instead of ssh key password seems a step backwards, albeit a small one since the power the two keys give you are about the same AFAIK.
I think it's almost entirely about reducing the volume of support queries they get. I suppose you could also argue that since you have to enter your password over HTTPS anyway to access the website, you can't be increasing security by using a different authentication mechanism (SSH keys), but feasibly you're increasing the attack surface which might decrease security. Still, both HTTPS and SSH should be adequately secure if used properly.
|
119

I assume HTTPS is recommended by GitHub for several reasons

  1. It's simpler to access a repository from anywhere as you only need your account details (no SSH keys required) to write to the repository.

  2. HTTPS Is a port that is open in all firewalls. SSH is not always open as a port for communication to external networks

A GitHub repository is therefore more universally accessible using HTTPS than SSH.

In my view SSH keys are worth the little extra work in creating them

  1. SSH Keys do not provide access to your GitHub account, so your account cannot be hijacked if your key is stolen.

  2. Using a strong keyphrase with your SSH key limits any misuse, even if your key gets stolen (after first breaking access protection to your computer account)

If your GitHub account credentials (username/password) are stolen, your GitHub password can be changed to block you from access and all your shared repositories can be quickly deleted.

If a private key is stolen, someone can do a force push of an empty repository and wipe out all change history for each repository you own, but cannot change anything in your GitHub account. It will be much easier to try recovery from this breach of you have access to your GitHub account.

My preference is to use SSH with a passphrase protected key. I have a different SSH key for each computer, so if that machine gets stolen or key compromised, I can quickly login to GitHub and delete that key to prevent unwanted access.

SSH can be tunneled over HTTPS if the network you are on blocks the SSH port.

https://help.github.com/articles/using-ssh-over-the-https-port/

If you use HTTPS, I would recommend adding two-factor authentication, to protect your account as well as your repositories.

If you use HTTPS with a tool (e.g an editor), you should use a developer token from your GitHub account rather than cache username and password in that tools configuration. A token would mitigate the some of the potential risk of using HTTPS, as tokens can be configured for very specific access privileges and easily be revoked if that token is compromised.

Improve this answer

6 Comments

"although if someone does get hold of your private key they can do a force push of an empty repository and wipe out your change history" - yes (and would be awful), but the beauty of distributed codebases allows us to recover with someone who has a copy of it at least.
I'm not sure stating that someone being able to force push is a differentiator between SSH and HTTPS. If I had your username and password, I could equally force push.
If you have username & password you can delete everything (after changing the password and email contact of course). No need to do individual force push on each repository if you can just delete them.
you are comparing password vs ssh key while https connection requires a special token.
HTTPS does not require a developer token, just username and password (and 2FA if its enabled on the GitHub account). I would recommend the use of a token over username/password. A developer token has less inherent risk as it can be configured for specific access, does not use the GitHub account password and is revocable if compromised.
|
18

Either you are quoting wrong or github has different recommendation on different pages or they may learned with time and updated their reco.

We strongly recommend using an SSH connection when interacting with GitHub. SSH keys are a way to identify trusted computers, without involving passwords. The steps below will walk you through generating an SSH key and then adding the public key to your GitHub account.

https://help.github.com/articles/generating-ssh-keys

Improve this answer

4 Comments

FWIW, this page no longer contains the "strongly recommend" text quoted in this answer.
The still use "recommended" for HTTPS in the following link: help.github.com/articles/which-remote-url-should-i-use/… "Cloning with HTTPS URLs (recommended)"
Now they completely removed that quote.
Thank you to those who removed the quote. Props to all the editors to make sure information is kept up to date.
4

Recommendation: use HTTPS with an OAuth credential helper such as Git Credential Manager or git-credential-oauth.

No more passwords or personal access tokens! The first time you push, the helper will open a browser window to authenticate. Subsequent pushes require no interaction.

Disadvantages of SSH:

  • Authenticates unnecessarily when cloning or fetching a public repo.
  • SSH client has to be installed.
  • Creating an SSH key is unfamiliar to many new Git users.
  • To protect against man-in-the-middle attacks, the user must manually verify the host fingerprints. Not everyone bothers!
  • Configuring a key with a host involves copy-and-paste between terminal and a website. To use 3 computers with 5 hosts, the user must do this 15 times.
  • SSH keys without a passphrase are stored in plaintext without expiry.
  • SSH key passphrase (if used) has to be typed regularly. Even after configuring ssh-agent, passphrase has to be typed after each system restart.
  • SSH is sometimes blocked by firewalls.

Advantages of HTTPS:

  • Clone or fetch a public repo without authentication.
  • Server authenticity is automatically verified using HTTPS certificate.
  • Assuming you use an OAuth credential helper such as Git Credential Manager or git-credential-oauth, you never have to type a password or configure a personal access token.
    • OAuth protocol protects against token theft by using short-lived tokens and refresh token rotation that detects replay attacks. This is an advantage over personal access tokens.
  • Credentials can be stored in cache or platform-specific storage such as wincred, osxkeychain or libsecret.
Improve this answer

3 Comments

There is no "canonical answer" though. I worked as a contractor for banking/insurance companies, and I can assure you SSH is out of the picture. And for intranet Git repository service hosting, per CISO policy, no OAuth allowed.
Some good points but very biased. You didn't consider any advantages of SSH or disadvantages of HTTPS. Some of the issues with SSH can be alleviated by using GPG as the SSH agent but it does add more complexity to the setup.
The fact the ssh doesn't expire is not a problem of the user, is the problem of the ssh server. Furthermore I don't know why a ssh in plain text should be a problem. The file can be read-only only for the user. If someone has access to your pc with your credentials and can read the file, well, you have a bigger problem than a ssh attack ;-)
1

It's possible to argue that using SSHs key to authenticate is less secure because we tend to change our password more periodically than we generate new SSH keys.

Servers that limit the lifespan for which they'll honor given SSH keys can help force users toward the practice of refreshing SSH-keys periodically.

Improve this answer

1 Comment

It's now considered bad advice to make users change their passwords periodically. UK Governments view: ncsc.gov.uk/articles/problems-forcing-regular-password-expiry
1

One further reason for favoring HTTPS is that if multiple users are managing code on a central server -- say a development machine -- each user needs to create their own ssh key in order to use the SSH-based connection. If the connection is HTTPS, this issue doesn't exist.

I guess you could argue that it's not so difficult to just have setting up your own key be a part of onboarding to using the server where that project is stored, but it is a further hurdle to getting your work done.

Improve this answer

Comments

0

As pros and cons of both HTTPS and SSH already mentioned, I am gonna tell my experience with both. HTTPS is definitely recommended option, because I was doing an online internship course and when I submitted the task from the repo cloned with SSH, the automated checking system couldn't connect to my project in GitLab, simply because it was pushed from SSH cloned repo. And then I deleted local repo, recloned the same repo with HTTPS, pushed to remote and boom it worked, system could evaluate my work and it passed!

Hope this helps to decide which one to use.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.