jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-22 19:34:15 -05:00
Code Issues Projects Releases Wiki Activity

Merge branch 'main' into 2fa-clarification

Browse Source
This commit is contained in:
Steve Guntrip
2021-05-20 08:51:29 +01:00
parent eab832f3a0 de15ffddb7
commit f95b892454
14609 changed files with 419027 additions and 419782 deletions
Download Patch File Download Diff File Expand all files Collapse all files

98
content/github/authenticating-to-github/keeping-your-account-and-data-secure/about-anonymized-urls.md Normal file
View File

@@ -0,0 +1,98 @@
---
title: About anonymized URLs
intro: 'If you upload an image or video to {% data variables.product.product_name %}, the URL of the image or video will be modified so your information is not trackable.'
redirect_from:
- /articles/why-do-my-images-have-strange-urls/
- /articles/about-anonymized-image-urls
- /authenticating-to-github/about-anonymized-image-urls
- /github/authenticating-to-github/about-anonymized-urls
versions:
free-pro-team: '*'
topics:
- Identity
- Access management
---
To host your images, {% data variables.product.product_name %} uses the [open-source project Camo](https://github.com/atmos/camo). Camo generates an anonymous URL proxy for each file which hides your browser details and related information from other users. The URL starts `https://<subdomain>.githubusercontent.com/`, with different subdomains depending on how you uploaded the image.
Videos also get anonymized URLs with the same format as image URLs, but are not processed through Camo. This is because {% data variables.product.prodname_dotcom %} does not support externally hosted videos, so the anonymized URL is a link to the uploaded video hosted by {% data variables.product.prodname_dotcom %}.
Anyone who receives your anonymized URL, directly or indirectly, may view your image or video. To keep sensitive media files private, restrict them to a private network or a server that requires authentication instead of using Camo.
### Troubleshooting issues with Camo
In rare circumstances, images that are processed through Camo might not appear on {% data variables.product.prodname_dotcom %}. Here are some steps you can take to determine where the problem lies.
{% windows %}
{% tip %}
Windows users will either need to use the Git Powershell (which is installed alongside [{% data variables.product.prodname_desktop %}](https://desktop.github.com/)) or download [curl for Windows](http://curl.haxx.se/download.html).
{% endtip %}
{% endwindows %}
#### An image is not showing up
If an image is showing up in your browser but not on {% data variables.product.prodname_dotcom %}, you can try requesting it locally.
{% data reusables.command_line.open_the_multi_os_terminal %}
1. Request the image headers using `curl`.
```shell
$ curl -I https://www.my-server.com/images/some-image.png
> HTTP/2 200
> Date: Fri, 06 Jun 2014 07:27:43 GMT
> Expires: Sun, 06 Jul 2014 07:27:43 GMT
> Content-Type: image/x-png
> Server: Google Frontend
> Content-Length: 6507
```
3. Check the value of `Content-Type`. In this case, it's `image/x-png`.
4. Check that content type against [the list of types supported by Camo](https://github.com/atmos/camo/blob/master/mime-types.json).
If your content type is not supported by Camo, you can try several actions:
* If you own the server that's hosting the image, modify it so that it returns a correct content type for images.
* If you're using an external service for hosting images, contact support for that service.
* Make a pull request to Camo to add your content type to the list.
#### An image that changed recently is not updating
If you changed an image recently and it's showing up in your browser but not {% data variables.product.prodname_dotcom %}, you can try resetting the cache of the image.
{% data reusables.command_line.open_the_multi_os_terminal %}
1. Request the image headers using `curl`.
```shell
$ curl -I https://www.my-server.com/images/some-image.png
> HTTP/2 200
> Expires: Fri, 01 Jan 1984 00:00:00 GMT
> Content-Type: image/png
> Content-Length: 2339
> Server: Jetty(8.y.z-SNAPSHOT)
```
Check the value of `Cache-Control`. In this example, there's no `Cache-Control`. In that case:
* If you own the server that's hosting the image, modify it so that it returns a `Cache-Control` of `no-cache` for images.
* If you're using an external service for hosting images, contact support for that service.
If `Cache-Control` *is* set to `no-cache`, contact {% data variables.contact.contact_support %} or search the {% data variables.contact.community_support_forum %}.
#### Removing an image from Camo's cache
Purging the cache forces every {% data variables.product.prodname_dotcom %} user to re-request the image, so you should use it very sparingly and only in the event that the above steps did not work.
{% data reusables.command_line.open_the_multi_os_terminal %}
1. Purge the image using `curl -X PURGE` on the Camo URL.
```shell
$ curl -X PURGE https://camo.githubusercontent.com/4d04abe0044d94fefcf9af2133223....
> {"status": "ok", "id": "216-8675309-1008701"}
```
#### Viewing images on private networks
If an image is being served from a private network or from a server that requires authentication, it can't be viewed by {% data variables.product.prodname_dotcom %}. In fact, it can't be viewed by any user without asking them to log into the server.
To fix this, please move the image to a service that is publicly available.
### Further reading
- "[Proxying user images](https://github.com/blog/1766-proxying-user-images)" on {% data variables.product.prodname_blog %}

74
content/github/authenticating-to-github/keeping-your-account-and-data-secure/about-authentication-to-github.md Normal file
View File

@@ -0,0 +1,74 @@
---
title: About authentication to GitHub
intro: 'You can securely access your account''s resources by authenticating to {% data variables.product.product_name %}, using different credentials depending on where you authenticate.'
versions:
free-pro-team: '*'
enterprise-server: '*'
github-ae: '*'
topics:
- Identity
- Access management
redirect_from:
- /github/authenticating-to-github/about-authentication-to-github
---
### About authentication to {% data variables.product.prodname_dotcom %}
To keep your account secure, you must authenticate before you can access{% if currentVersion != "github-ae@latest" %} certain{% endif %} resources on {% data variables.product.product_name %}. When you authenticate to {% data variables.product.product_name %}, you supply or confirm credentials that are unique to you to prove that you are exactly who you declare to be.
You can access your resources in {% data variables.product.product_name %} in a variety of ways: in the browser, via {% data variables.product.prodname_desktop %} or another desktop application, with the API, or via the command line. Each way of accessing {% data variables.product.product_name %} supports different modes of authentication.
- {% if currentVersion == "github-ae@latest" %}Your identity provider (IdP){% else %}Username and password with two-factor authentication{% endif %}
- Personal access token
- SSH key
### Authenticating in your browser
You can authenticate to {% data variables.product.product_name %} in your browser {% if currentVersion == "github-ae@latest" %}using your IdP. For more information, see "[About authentication with SAML single sign-on](/github/authenticating-to-github/about-authentication-with-saml-single-sign-on)."{% else %}in different ways.
- **Username and password only**
- You'll create a password when you create your user account on {% data variables.product.product_name %}. We recommend that you use a password manager to generate a random and unique password. For more information, see "[Creating a strong password](/github/authenticating-to-github/creating-a-strong-password)."
- **Two-factor authentication (2FA)** (recommended)
- If you enable 2FA, we'll also prompt you to provide a code that's generated by an application on your mobile device or sent as a text message (SMS) after you successfully enter your username and password. For more information, see "[Accessing {% data variables.product.prodname_dotcom %} using two-factor authentication](/github/authenticating-to-github/accessing-github-using-two-factor-authentication#providing-a-2fa-code-when-signing-in-to-the-website)."
- In addition to authentication with a mobile application or a text message, you can optionally add a secondary method of authentication with a security key using WebAuthn. For more information, see "[Configuring two-factor authentication using a security key](/github/authenticating-to-github/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-security-key)."
{% endif %}
### Authenticating with {% data variables.product.prodname_desktop %}
You can authenticate with {% data variables.product.prodname_desktop %} using your browser. For more information, see "[Authenticating to {% data variables.product.prodname_dotcom %}](/desktop/getting-started-with-github-desktop/authenticating-to-github)."
### Authenticating with the API
You can authenticate with the API in different ways.
- **Personal access tokens**
- In limited situations, such as testing, you can use a personal access token to access the API. Using a personal access token enables you to revoke access at any time. For more information, see "[Creating a personal access token](/github/authenticating-to-github/creating-a-personal-access-token)."
- **Web application flow**
- For OAuth Apps in production, you should authenticate using the web application flow. For more information, see "[Authorizing OAuth Apps](/apps/building-oauth-apps/authorizing-oauth-apps/#web-application-flow)."
- **GitHub Apps**
- For GitHub Apps in production, you should authenticate on behalf of the app installation. For more information, see "[Authenticating with {% data variables.product.prodname_github_apps %}](/apps/building-github-apps/authenticating-with-github-apps/)."
### Authenticating with the command line
You can access repositories on {% data variables.product.product_name %} from the command line in two ways, HTTPS and SSH, and both have a different way of authenticating. The method of authenticating is determined based on whether you choose an HTTPS or SSH remote URL when you clone the repository. For more information about which way to access, see "[About remote repositories](/github/getting-started-with-github/about-remote-repositories)."
* You can work with all repositories on {% data variables.product.product_name %} over HTTPS, even if you are behind a firewall or proxy. Every time you use Git to authenticate with {% data variables.product.product_name %}, you'll be prompted to enter your credentials to authenticate with {% data variables.product.product_name %}, unless you cache them with a [credential helper](/github/getting-started-with-github/caching-your-github-credentials-in-git). {% data reusables.user_settings.password-authentication-deprecation %}
* You can work with all repositories on {% data variables.product.product_name %} over SSH, although firewalls and proxys might refuse to allow SSH connections. Using SSH requires you to generate an SSH public/private keypair on your local machine and add the public key to your {% data variables.product.product_name %} account. Every time you use Git to authenticate with {% data variables.product.product_name %}, you'll be prompted to enter your SSH key passphrase, unless you've [stored the key](/github/authenticating-to-github/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#adding-your-ssh-key-to-the-ssh-agent). For more information, see "[Generating a new SSH key and adding it to the ssh-agent](/github/authenticating-to-github/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent)."
{% if currentVersion == "free-pro-team@latest" %}To use a personal access token or SSH key to access resources owned by an organization that uses SAML single sign-on, you must also authorize the personal token or SSH key. For more information, see "[Authorizing a personal access token for use with SAML single sign-on](/github/authenticating-to-github/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on)" or "[Authorizing an SSH key for use with SAML single sign-on](/github/authenticating-to-github/authorizing-an-ssh-key-for-use-with-saml-single-sign-on)."{% endif %}
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@3.1" or currentVersion == "github-ae@next" %}
### {% data variables.product.company_short %}'s token formats
{% data variables.product.company_short %} issues tokens that begin with a prefix to indicate the token's type.
| Token type | Prefix | More information |
| :- | :- | :- |
| Personal access token | `ghp_` | "[Creating a personal access token](/github/authenticating-to-github/creating-a-personal-access-token)" |
| OAuth access token | `gho_` | "[Authorizing {% data variables.product.prodname_oauth_apps %}](/developers/apps/authorizing-oauth-apps)" |
| User-to-server token for a {% data variables.product.prodname_github_app %} | `ghu_` | "[Identifying and authorizing users for {% data variables.product.prodname_github_apps %}](/developers/apps/identifying-and-authorizing-users-for-github-apps)" |
| Server-to-server token for a {% data variables.product.prodname_github_app %} | `ghs_` | "[Authenticating with {% data variables.product.prodname_github_apps %}](/developers/apps/authenticating-with-github-apps#authenticating-as-an-installation)" |
| Refresh token for a {% data variables.product.prodname_github_app %} | `ghr_` | "[Refreshing user-to-server access tokens](/developers/apps/refreshing-user-to-server-access-tokens)" |
{% endif %}

28
content/github/authenticating-to-github/keeping-your-account-and-data-secure/about-githubs-ip-addresses.md Normal file
View File

@@ -0,0 +1,28 @@
---
title: About GitHub's IP addresses
intro: '{% data variables.product.product_name %} serves applications from multiple IP address ranges, which are available using the API.'
redirect_from:
- /articles/what-ip-addresses-does-github-use-that-i-should-whitelist/
- /categories/73/articles/
- /categories/administration/
- /articles/github-s-ip-addresses/
- /articles/about-github-s-ip-addresses
- /articles/about-githubs-ip-addresses
- /github/authenticating-to-github/about-githubs-ip-addresses
versions:
free-pro-team: '*'
topics:
- Identity
- Access management
---
You can retrieve a list of {% data variables.product.prodname_dotcom %}'s IP addresses from the [meta](https://api.github.com/meta) API endpoint. For more information, see "[Meta](/rest/reference/meta)."
These ranges are in [CIDR notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation). You can use an online conversion tool such as this [CIDR / VLSM Supernet Calculator](http://www.subnet-calculator.com/cidr.php) to convert from CIDR notation to IP address ranges.
We make changes to our IP addresses from time to time, and will keep this API up to date. We do not recommend allowing by IP address, however if you use these IP ranges we strongly encourage regular monitoring of our API.
For applications to function, you must allow TCP ports 22, 80, 443, and 9418 via our IP ranges for `github.com`.
### Further reading
- "[Troubleshooting connectivity problems](/articles/troubleshooting-connectivity-problems)"

89
content/github/authenticating-to-github/keeping-your-account-and-data-secure/authorizing-oauth-apps.md Normal file
View File

@@ -0,0 +1,89 @@
---
title: Authorizing OAuth Apps
intro: 'You can connect your {% data variables.product.product_name %} identity to third-party applications using OAuth. When authorizing an {% data variables.product.prodname_oauth_app %}, you should ensure you trust the application, review who it''s developed by, and review the kinds of information the application wants to access.'
redirect_from:
- /articles/authorizing-oauth-apps
- /github/authenticating-to-github/authorizing-oauth-apps
versions:
free-pro-team: '*'
enterprise-server: '*'
github-ae: '*'
topics:
- Identity
- Access management
---
When an {% data variables.product.prodname_oauth_app %} wants to identify you by your {% data variables.product.product_name %} account, you'll see a page with the app's developer contact information and a list of the specific data that's being requested.
{% if currentVersion == "free-pro-team@latest" %}
{% tip %}
**Tip:** You must [verify your email address](/articles/verifying-your-email-address) before you can authorize an {% data variables.product.prodname_oauth_app %}.
{% endtip %}
{% endif %}
### {% data variables.product.prodname_oauth_app %} access
{% data variables.product.prodname_oauth_app %}s can have *read* or *write* access to your {% data variables.product.product_name %} data.
- **Read access** only allows an app to *look at* your data.
- **Write access** allows an app to *change* your data.
{% tip %}
**Tip:** {% data reusables.user_settings.review_oauth_tokens_tip %}
{% endtip %}
#### About OAuth scopes
*Scopes* are named groups of permissions that an {% data variables.product.prodname_oauth_app %} can request to access both public and non-public data.
When you want to use an {% data variables.product.prodname_oauth_app %} that integrates with {% data variables.product.product_name %}, that app lets you know what type of access to your data will be required. If you grant access to the app, then the app will be able to perform actions on your behalf, such as reading or modifying data. For example, if you want to use an app that requests `user:email` scope, the app will have read-only access to your private email addresses. For more information, see "[About scopes for {% data variables.product.prodname_oauth_app %}s](/apps/building-integrations/setting-up-and-registering-oauth-apps/about-scopes-for-oauth-apps)."
{% tip %}
**Note:** Currently, you can't scope source code access to read-only.
{% endtip %}
#### Types of requested data
{% data variables.product.prodname_oauth_app %}s can request several types of data.
| Type of data | Description |
| --- | --- |
| Commit status | You can grant access for an app to report your commit status. Commit status access allows apps to determine if a build is a successful against a specific commit. Apps won't have access to your code, but they can read and write status information against a specific commit. |
| Deployments | Deployment status access allows apps to determine if a deployment is successful against a specific commit for public and private repositories. Apps won't have access to your code. |
| Gists | [Gist](https://gist.github.com) access allows apps to read or write to both your public and secret Gists. |
| Hooks | [Webhooks](/webhooks) access allows apps to read or write hook configurations on repositories you manage. |
| Notifications | Notification access allows apps to read your {% data variables.product.product_name %} notifications, such as comments on issues and pull requests. However, apps remain unable to access anything in your repositories. |
| Organizations and teams | Organization and teams access allows apps to access and manage organization and team membership. |
| Personal user data | User data includes information found in your user profile, like your name, e-mail address, and location. |
| Repositories | Repository information includes the names of contributors, the branches you've created, and the actual files within your repository. Apps can request access for either public or private repositories on a user-wide level. |
| Repository delete | Apps can request to delete repositories that you administer, but they won't have access to your code. |
### Requesting updated permissions
When {% data variables.product.prodname_oauth_app %}s request new access permissions, they will notify you of the differences between their current permissions and the new permissions.
{% if currentVersion == "free-pro-team@latest" %}
### {% data variables.product.prodname_oauth_app %}s and organizations
When you authorize an {% data variables.product.prodname_oauth_app %} for your personal user account, you'll also see how the authorization will affect each organization you're a member of.
- **For organizations *with* {% data variables.product.prodname_oauth_app %} access restrictions, you can request that organization admins approve the application for use in that organization.** If the organization does not approve the application, then the application will only be able to access the organization's public resources. If you're an organization admin, you can [approve the application](/articles/approving-oauth-apps-for-your-organization) yourself.
- **For organizations *without* {% data variables.product.prodname_oauth_app %} access restrictions, the application will automatically be authorized for access to that organization's resources.** For this reason, you should be careful about which {% data variables.product.prodname_oauth_app %}s you approve for access to your personal account resources as well as any organization resources.
If you belong to any organizations that enforce SAML single sign-on, you must have an active SAML session for each organization each time you authorize an {% data variables.product.prodname_oauth_app %}.
### Further reading
- "[About {% data variables.product.prodname_oauth_app %} access restrictions](/articles/about-oauth-app-access-restrictions)"
- "[{% data variables.product.prodname_marketplace %} support](/articles/github-marketplace-support)"
{% endif %}

74
content/github/authenticating-to-github/keeping-your-account-and-data-secure/connecting-with-third-party-applications.md Normal file
View File

@@ -0,0 +1,74 @@
---
title: Connecting with third-party applications
intro: 'You can connect your {% data variables.product.product_name %} identity to third-party applications using OAuth. When authorizing one of these applications, you should ensure you trust the application, review who it''s developed by, and review the kinds of information the application wants to access.'
redirect_from:
- /articles/connecting-with-third-party-applications
- /github/authenticating-to-github/connecting-with-third-party-applications
versions:
free-pro-team: '*'
enterprise-server: '*'
github-ae: '*'
topics:
- Identity
- Access management
---
When a third-party application wants to identify you by your {% data variables.product.product_name %} login, you'll see a page with the developer contact information and a list of the specific data that's being requested.
### Contacting the application developer
Because an application is developed by a third-party who isn't {% data variables.product.product_name %}, we don't know exactly how an application uses the data it's requesting access to. You can use the developer information at the top of the page to contact the application admin if you have questions or concerns about their application.
![{% data variables.product.prodname_oauth_app %} owner information](/assets/images/help/platform/oauth_owner_bar.png)
If the developer has chosen to supply it, the right-hand side of the page provides a detailed description of the application, as well as its associated website.
![OAuth application information and website](/assets/images/help/platform/oauth_app_info.png)
### Types of application access and data
Applications can have *read* or *write* access to your {% data variables.product.product_name %} data.
- **Read access** only allows an application to *look at* your data.
- **Write access** allows an application to *change* your data.
#### About OAuth scopes
*Scopes* are named groups of permissions that an application can request to access both public and non-public data.
When you want to use a third-party application that integrates with {% data variables.product.product_name %}, that application lets you know what type of access to your data will be required. If you grant access to the application, then the application will be able to perform actions on your behalf, such as reading or modifying data. For example, if you want to use an app that requests `user:email` scope, the app will have read-only access to your private email addresses. For more information, see "[About scopes for {% data variables.product.prodname_oauth_app %}s](/apps/building-integrations/setting-up-and-registering-oauth-apps/about-scopes-for-oauth-apps)."
{% tip %}
**Note:** Currently, you can't scope source code access to read-only.
{% endtip %}
#### Types of requested data
There are several types of data that applications can request.
![OAuth access details](/assets/images/help/platform/oauth_access_types.png)
{% tip %}
**Tip:** {% data reusables.user_settings.review_oauth_tokens_tip %}
{% endtip %}
| Type of data | Description |
| --- | --- |
| Commit status | You can grant access for a third-party application to report your commit status. Commit status access allows applications to determine if a build is a successful against a specific commit. Applications won't have access to your code, but they <em>can</em> read and write status information against a specific commit. |
| Deployments | Deployment status access allows applications to determine if a deployment is successful against a specific commit for a repository. Applications won't have access to your code. |
| Gists | [Gist](https://gist.github.com) access allows applications to read or write to {% if currentVersion != "github-ae@latest" %}both your public and{% else %}both your internal and{% endif %} secret Gists. |
| Hooks | [Webhooks](/webhooks) access allows applications to read or write hook configurations on repositories you manage. |
| Notifications | Notification access allows applications to read your {% data variables.product.product_name %} notifications, such as comments on issues and pull requests. However, applications remain unable to access anything in your repositories. |
| Organizations and teams | Organization and teams access allows apps to access and manage organization and team membership. |
| Personal user data | User data includes information found in your user profile, like your name, e-mail address, and location. |
| Repositories | Repository information includes the names of contributors, the branches you've created, and the actual files within your repository. Applications can request access for either {% if currentVersion != "github-ae@latest" %}public{% else %}internal{% endif %} or private repositories on a user-wide level. |
| Repository delete | Applications can request to delete repositories that you administer, but they won't have access to your code. |
### Requesting updated permissions
Applications can request new access privileges. When asking for updated permissions, the application will notify you of the differences.
![Changing third-party application access](/assets/images/help/platform/oauth_existing_access_pane.png)

70
content/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token.md Normal file
View File

@@ -0,0 +1,70 @@
---
title: Creating a personal access token
intro: You should create a personal access token to use in place of a password with the command line or with the API.
redirect_from:
- /articles/creating-an-oauth-token-for-command-line-use/
- /articles/creating-an-access-token-for-command-line-use/
- /articles/creating-a-personal-access-token-for-the-command-line
- /github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
- /github/authenticating-to-github/creating-a-personal-access-token
versions:
free-pro-team: '*'
enterprise-server: '*'
github-ae: '*'
topics:
- Identity
- Access management
---
Personal access tokens (PATs) are an alternative to using passwords for authentication to {% data variables.product.product_name %} when using the [GitHub API](/rest/overview/other-authentication-methods#via-oauth-and-personal-access-tokens) or the [command line](#using-a-token-on-the-command-line).
{% if currentVersion == "free-pro-team@latest" %}If you want to use a PAT to access resources owned by an organization that uses SAML SSO, you must authorize the PAT. For more information, see "[About authentication with SAML single sign-on](/github/authenticating-to-github/about-authentication-with-saml-single-sign-on)" and "[Authorizing a personal access token for use with SAML single sign-on](/github/authenticating-to-github/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on)."{% endif %}
{% if currentVersion == "free-pro-team@latest" %}{% data reusables.user_settings.removes-personal-access-tokens %}{% endif %}
### Creating a token
{% if currentVersion == "free-pro-team@latest" %}1. [Verify your email address](/github/getting-started-with-github/verifying-your-email-address), if it hasn't been verified yet.{% endif %}
{% data reusables.user_settings.access_settings %}
{% data reusables.user_settings.developer_settings %}
{% data reusables.user_settings.personal_access_tokens %}
4. Click **Generate new token**.
![Generate new token button](/assets/images/help/settings/generate_new_token.png)
5. Give your token a descriptive name.
![Token description field](/assets/images/help/settings/token_description.png)
6. Select the scopes, or permissions, you'd like to grant this token. To use your token to access repositories from the command line, select **repo**.
{% if currentVersion == "free-pro-team@latest" or enterpriseServerVersions contains currentVersion %}
![Selecting token scopes](/assets/images/help/settings/token_scopes.gif)
{% elsif currentVersion == "github-ae@latest" %}
![Selecting token scopes](/assets/images/enterprise/github-ae/settings/access-token-scopes-for-ghae.png)
{% endif %}
7. Click **Generate token**.
![Generate token button](/assets/images/help/settings/generate_token.png)
8. Click {% octicon "clippy" aria-label="The copy to clipboard icon" %} to copy the token to your clipboard. For security reasons, after you navigate off the page, you will not be able to see the token again.
{% if currentVersion == "free-pro-team@latest" %}
![Newly created token](/assets/images/help/settings/personal_access_tokens.png)
{% elsif currentVersion ver_gt "enterprise-server@3.1" or currentVersion == "github-ae@next" %}
![Newly created token](/assets/images/help/settings/personal_access_tokens_ghe.png)
{% else %}
![Newly created token](/assets/images/help/settings/personal_access_tokens_ghe_legacy.png)
{% endif %}
{% warning %}
**Warning:** Treat your tokens like passwords and keep them secret. When working with the API, use tokens as environment variables instead of hardcoding them into your programs.
{% endwarning %}
{% if currentVersion == "free-pro-team@latest" %}9. To use your token to authenticate to an organization that uses SAML SSO, [authorize the token for use with a SAML single-sign-on organization](/github/authenticating-to-github/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on).{% endif %}
### Using a token on the command line
{% data reusables.command_line.providing-token-as-password %}
Personal access tokens can only be used for HTTPS Git operations. If your repository uses an SSH remote URL, you will need to [switch the remote from SSH to HTTPS](/github/getting-started-with-github/managing-remote-repositories/#switching-remote-urls-from-ssh-to-https).
If you are not prompted for your username and password, your credentials may be cached on your computer. You can [update your credentials in the Keychain](/github/getting-started-with-github/updating-credentials-from-the-macos-keychain) to replace your old password with the token.
Instead of manually entering your PAT for every HTTPS Git operation, you can cache your PAT with a Git client. Git will temporarily store your credentials in memory until an expiry interval has passed. You can also store the token in a plain text file that Git can read before every request. For more information, see "[Caching your {% data variables.product.prodname_dotcom %} credentials in Git](/github/getting-started-with-github/caching-your-github-credentials-in-git)."
### Further reading
- "[About authentication to GitHub](/github/authenticating-to-github/about-authentication-to-github)"

34
content/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-strong-password.md Normal file
View File

@@ -0,0 +1,34 @@
---
title: Creating a strong password
intro: 'Secure your {% data variables.product.product_name %} account with a strong and unique password using a password manager.'
redirect_from:
- /articles/what-is-a-strong-password/
- /articles/creating-a-strong-password
- /github/authenticating-to-github/creating-a-strong-password
versions:
free-pro-team: '*'
enterprise-server: '*'
topics:
- Identity
- Access management
---
You must choose or generate a password for your {% data variables.product.product_name %} account that is at least:
- {% if enterpriseServerVersions contains currentVersion %}Seven{% else %}Eight{% endif %} characters long, if it includes a number and a lowercase letter, or
- 15 characters long with any combination of characters
To keep your account secure, we recommend you follow these best practices:
- Use a password manager, such as [LastPass](https://lastpass.com/) or [1Password](https://1password.com/), to generate a password of at least 15 characters.
- Generate a unique password for {% data variables.product.product_name %}. If you use your {% data variables.product.product_name %} password elsewhere and that service is compromised, then attackers or other malicious actors could use that information to access your {% data variables.product.product_name %} account.
- Configure two-factor authentication for your personal account. For more information, see "[About two-factor authentication](/articles/about-two-factor-authentication)."
- Never share your password, even with a potential collaborator. Each person should use their own personal account on {% data variables.product.product_name %}. For more information on ways to collaborate, see: "[Inviting collaborators to a personal repository](/articles/inviting-collaborators-to-a-personal-repository)," "[About collaborative development models](/articles/about-collaborative-development-models/)," or "[Collaborating with groups in organizations](/organizations/collaborating-with-groups-in-organizations/)."
{% data reusables.repositories.blocked-passwords %}
You can only use your password to log on to {% data variables.product.product_name %} using your browser. When you authenticate to {% data variables.product.product_name %} with other means, such as the command line or API, you should use other credentials. For more information, see "[About authentication to {% data variables.product.prodname_dotcom %}](/github/authenticating-to-github/about-authentication-to-github)."
{% if currentVersion == "free-pro-team@latest" %}{% data reusables.user_settings.password-authentication-deprecation %}{% endif %}
### Further reading
- "[Caching your {% data variables.product.product_name %} credentials in Git](/github/getting-started-with-github/caching-your-github-credentials-in-git/)"
- "[Keeping your account and data secure](/articles/keeping-your-account-and-data-secure/)"

18
content/github/authenticating-to-github/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints.md Normal file
View File

@@ -0,0 +1,18 @@
---
title: GitHub's SSH key fingerprints
intro: Public key fingerprints can be used to validate a connection to a remote server.
redirect_from:
- /articles/what-are-github-s-ssh-key-fingerprints/
- /articles/github-s-ssh-key-fingerprints
- /articles/githubs-ssh-key-fingerprints
- /github/authenticating-to-github/githubs-ssh-key-fingerprints
versions:
free-pro-team: '*'
topics:
- Identity
- Access management
---
These are {% data variables.product.prodname_dotcom %}'s public key fingerprints:
- `SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8` (RSA)
- `SHA256:br9IjFspm1vxR3iA35FWE+4VTyz1hYVLIE2t1/CeyWQ` (DSA)

32
content/github/authenticating-to-github/keeping-your-account-and-data-secure/index.md Normal file
View File

@@ -0,0 +1,32 @@
---
title: Keeping your account and data secure
intro: 'To protect your personal information, you should keep both your {% data variables.product.product_name %} account and any associated data secure.'
redirect_from:
- /articles/keeping-your-account-and-data-secure
versions:
free-pro-team: '*'
enterprise-server: '*'
github-ae: '*'
topics:
- Identity
- Access management
children:
- /about-authentication-to-github
- /creating-a-strong-password
- /updating-your-github-access-credentials
- /creating-a-personal-access-token
- /reviewing-your-ssh-keys
- /reviewing-your-deploy-keys
- /authorizing-oauth-apps
- /reviewing-your-authorized-integrations
- /connecting-with-third-party-applications
- /reviewing-your-authorized-applications-oauth
- /reviewing-your-security-log
- /removing-sensitive-data-from-a-repository
- /about-anonymized-urls
- /about-githubs-ip-addresses
- /githubs-ssh-key-fingerprints
- /sudo-mode
- /preventing-unauthorized-access
---

27
content/github/authenticating-to-github/keeping-your-account-and-data-secure/preventing-unauthorized-access.md Normal file
View File

@@ -0,0 +1,27 @@
---
title: Preventing unauthorized access
intro: 'You may be alerted to a security incident in the media, such as the discovery of the [Heartbleed bug](http://heartbleed.com/), or your computer could be stolen while you''re signed in to {% data variables.product.product_location %}. In such cases, changing your password prevents any unintended future access to your account and projects.'
redirect_from:
- /articles/preventing-unauthorized-access
- /github/authenticating-to-github/preventing-unauthorized-access
versions:
free-pro-team: '*'
enterprise-server: '*'
topics:
- Identity
- Access management
---
{% data variables.product.product_name %} requires a password to perform sensitive actions, such as adding new SSH keys, authorizing applications, or modifying team members.
After changing your password, you should perform these actions to make sure that your account is secure:
- [Enable two-factor authentication](/articles/about-two-factor-authentication) on your account so that access requires more than just a password.
- [Review your SSH keys](/articles/reviewing-your-ssh-keys), [deploy keys](/articles/reviewing-your-deploy-keys), and [authorized integrations](/articles/reviewing-your-authorized-integrations) and revoke unauthorized or unfamiliar access in your SSH and Applications settings.
{% if currentVersion == "free-pro-team@latest" %}
- [Verify all your email addresses](/articles/verifying-your-email-address). If an attacker added their email address to your account, it could allow them to force an unintended password reset.
{% endif %}
- [Review your account's security log](/github/authenticating-to-github/reviewing-your-security-log). This provides an overview on various configurations made to your repositories. For example, you can ensure that no private repositories were turned public, or that no repositories were transferred.
- [Review the webhooks](/articles/creating-webhooks) on your repositories. Webhooks could allow an attacker to intercept pushes made to your repository.
- [Make sure that no new deploy keys](/guides/managing-deploy-keys/#deploy-keys) were created. This could enable outside servers access to your projects.
- Review recent commits made to your repositories.
- Review the list of collaborators for each repository.

159
content/github/authenticating-to-github/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository.md Normal file
View File

@@ -0,0 +1,159 @@
---
title: Removing sensitive data from a repository
intro: 'If you commit sensitive data, such as a password or SSH key into a Git repository, you can remove it from the history. To entirely remove unwanted files from a repository''s history you can use either the `git filter-branch` command or the BFG Repo-Cleaner open source tool.'
redirect_from:
- /remove-sensitive-data/
- /removing-sensitive-data/
- /articles/remove-sensitive-data/
- /articles/removing-sensitive-data-from-a-repository
- /github/authenticating-to-github/removing-sensitive-data-from-a-repository
versions:
free-pro-team: '*'
enterprise-server: '*'
github-ae: '*'
topics:
- Identity
- Access management
---
The `git filter-branch` command and the BFG Repo-Cleaner rewrite your repository's history, which changes the SHAs for existing commits that you alter and any dependent commits. Changed commit SHAs may affect open pull requests in your repository. We recommend merging or closing all open pull requests before removing files from your repository.
You can remove the file from the latest commit with `git rm`. For information on removing a file that was added with the latest commit, see "[Removing files from a repository's history](/articles/removing-files-from-a-repository-s-history)."
{% warning %}
**Warning: Once you have pushed a commit to {% data variables.product.product_name %}, you should consider any data it contains to be compromised.** If you committed a password, change it! If you committed a key, generate a new one.
This article tells you how to make commits with sensitive data unreachable from any branches or tags in your {% data variables.product.product_name %} repository. However, it's important to note that those commits may still be accessible in any clones or forks of your repository, directly via their SHA-1 hashes in cached views on {% data variables.product.product_name %}, and through any pull requests that reference them. You can't do anything about existing clones or forks of your repository, but you can permanently remove cached views and references to the sensitive data in pull requests on {% data variables.product.product_name %} by contacting {% data variables.contact.contact_support %}.
{% endwarning %}
### Purging a file from your repository's history
#### Using the BFG
The [BFG Repo-Cleaner](https://rtyley.github.io/bfg-repo-cleaner/) is a tool that's built and maintained by the open source community. It provides a faster, simpler alternative to `git filter-branch` for removing unwanted data. For example, to remove your file with sensitive data and leave your latest commit untouched, run:
```shell
$ bfg --delete-files <em>YOUR-FILE-WITH-SENSITIVE-DATA</em>
```
To replace all text listed in `passwords.txt` wherever it can be found in your repository's history, run:
```shell
$ bfg --replace-text passwords.txt
```
After the sensitive data is removed, you must force push your changes to {% data variables.product.product_name %}.
```shell
$ git push --force
```
See the [BFG Repo-Cleaner](https://rtyley.github.io/bfg-repo-cleaner/)'s documentation for full usage and download instructions.
#### Using filter-branch
{% warning %}
**Warning:** If you run `git filter-branch` after stashing changes, you won't be able to retrieve your changes with other stash commands. Before running `git filter-branch`, we recommend unstashing any changes you've made. To unstash the last set of changes you've stashed, run `git stash show -p | git apply -R`. For more information, see [Git Tools Stashing](https://git-scm.com/book/en/v1/Git-Tools-Stashing).
{% endwarning %}
To illustrate how `git filter-branch` works, we'll show you how to remove your file with sensitive data from the history of your repository and add it to `.gitignore` to ensure that it is not accidentally re-committed.
1. If you don't already have a local copy of your repository with sensitive data in its history, [clone the repository](/articles/cloning-a-repository/) to your local computer.
```shell
$ git clone https://{% data variables.command_line.codeblock %}/<em>YOUR-USERNAME</em>/<em>YOUR-REPOSITORY</em>
> Initialized empty Git repository in /Users/<em>YOUR-FILE-PATH</em>/<em>YOUR-REPOSITORY</em>/.git/
> remote: Counting objects: 1301, done.
> remote: Compressing objects: 100% (769/769), done.
> remote: Total 1301 (delta 724), reused 910 (delta 522)
> Receiving objects: 100% (1301/1301), 164.39 KiB, done.
> Resolving deltas: 100% (724/724), done.
```
2. Navigate into the repository's working directory.
```shell
$ cd <em>YOUR-REPOSITORY</em>
```
3. Run the following command, replacing `PATH-TO-YOUR-FILE-WITH-SENSITIVE-DATA` with the **path to the file you want to remove, not just its filename**. These arguments will:
- Force Git to process, but not check out, the entire history of every branch and tag
- Remove the specified file, as well as any empty commits generated as a result
- **Overwrite your existing tags**
```shell
$ git filter-branch --force --index-filter \
"git rm --cached --ignore-unmatch <em>PATH-TO-YOUR-FILE-WITH-SENSITIVE-DATA</em>" \
--prune-empty --tag-name-filter cat -- --all
> Rewrite 48dc599c80e20527ed902928085e7861e6b3cbe6 (266/266)
> Ref 'refs/heads/main' was rewritten
```
{% note %}
**Note:** If the file with sensitive data used to exist at any other paths (because it was moved or renamed), you must run this command on those paths, as well.
{% endnote %}
4. Add your file with sensitive data to `.gitignore` to ensure that you don't accidentally commit it again.
```shell
$ echo "<em>YOUR-FILE-WITH-SENSITIVE-DATA</em>" >> .gitignore
$ git add .gitignore
$ git commit -m "Add <em>YOUR-FILE-WITH-SENSITIVE-DATA</em> to .gitignore"
> [main 051452f] Add <em>YOUR-FILE-WITH-SENSITIVE-DATA</em> to .gitignore
> 1 files changed, 1 insertions(+), 0 deletions(-)
```
5. Double-check that you've removed everything you wanted to from your repository's history, and that all of your branches are checked out.
6. Once you're happy with the state of your repository, force-push your local changes to overwrite your {% data variables.product.product_name %} repository, as well as all the branches you've pushed up:
```shell
$ git push origin --force --all
> Counting objects: 1074, done.
> Delta compression using 2 threads.
> Compressing objects: 100% (677/677), done.
> Writing objects: 100% (1058/1058), 148.85 KiB, done.
> Total 1058 (delta 590), reused 602 (delta 378)
> To https://{% data variables.command_line.codeblock %}/<em>YOUR-USERNAME</em>/<em>YOUR-REPOSITORY</em>.git
> + 48dc599...051452f main -> main (forced update)
```
7. In order to remove the sensitive file from [your tagged releases](/articles/about-releases), you'll also need to force-push against your Git tags:
```shell
$ git push origin --force --tags
> Counting objects: 321, done.
> Delta compression using up to 8 threads.
> Compressing objects: 100% (166/166), done.
> Writing objects: 100% (321/321), 331.74 KiB | 0 bytes/s, done.
> Total 321 (delta 124), reused 269 (delta 108)
> To https://{% data variables.command_line.codeblock %}/<em>YOUR-USERNAME</em>/<em>YOUR-REPOSITORY</em>.git
> + 48dc599...051452f main -> main (forced update)
```
8. Contact {% data variables.contact.contact_support %}, asking them to remove cached views and references to the sensitive data in pull requests on {% data variables.product.product_name %}.
9. Tell your collaborators to [rebase](https://git-scm.com/book/en/Git-Branching-Rebasing), *not* merge, any branches they created off of your old (tainted) repository history. One merge commit could reintroduce some or all of the tainted history that you just went to the trouble of purging.
10. After some time has passed and you're confident that `git filter-branch` had no unintended side effects, you can force all objects in your local repository to be dereferenced and garbage collected with the following commands (using Git 1.8.5 or newer):
```shell
$ git for-each-ref --format="delete %(refname)" refs/original | git update-ref --stdin
$ git reflog expire --expire=now --all
$ git gc --prune=now
> Counting objects: 2437, done.
> Delta compression using up to 4 threads.
> Compressing objects: 100% (1378/1378), done.
> Writing objects: 100% (2437/2437), done.
> Total 2437 (delta 1461), reused 1802 (delta 1048)
```
{% note %}
**Note:** You can also achieve this by pushing your filtered history to a new or empty repository and then making a fresh clone from {% data variables.product.product_name %}.
{% endnote %}
### Avoiding accidental commits in the future
There are a few simple tricks to avoid committing things you don't want committed:
- Use a visual program like [{% data variables.product.prodname_desktop %}](https://desktop.github.com/) or [gitk](https://git-scm.com/docs/gitk) to commit changes. Visual programs generally make it easier to see exactly which files will be added, deleted, and modified with each commit.
- Avoid the catch-all commands `git add .` and `git commit -a` on the command line—use `git add filename` and `git rm filename` to individually stage files, instead.
- Use `git add --interactive` to individually review and stage changes within each file.
- Use `git diff --cached` to review the changes that you have staged for commit. This is the exact diff that `git commit` will produce as long as you don't use the `-a` flag.
### Further reading
- [`git filter-branch` man page](https://git-scm.com/docs/git-filter-branch)
- [Pro Git: Git Tools - Rewriting History](https://git-scm.com/book/en/Git-Tools-Rewriting-History)

23
content/github/authenticating-to-github/keeping-your-account-and-data-secure/reviewing-your-authorized-applications-oauth.md Normal file
View File

@@ -0,0 +1,23 @@
---
title: Reviewing your authorized applications (OAuth)
intro: 'You should review your authorized applications to verify that no new applications with expansive permissions are authorized, such as those that have access to your private repositories.'
redirect_from:
- /articles/reviewing-your-authorized-applications-oauth
- /github/authenticating-to-github/reviewing-your-authorized-applications-oauth
versions:
free-pro-team: '*'
enterprise-server: '*'
github-ae: '*'
topics:
- Identity
- Access management
---
{% data reusables.user_settings.access_settings %}
{% data reusables.user_settings.access_applications %}
{% data reusables.user_settings.access_authorized_oauth_apps %}
{% data reusables.user_settings.review-oauth-apps %}
### Further reading
{% if currentVersion == "free-pro-team@latest" %}
- "[About integrations](/articles/about-integrations)"{% endif %}
- "[Reviewing your authorized integrations](/articles/reviewing-your-authorized-integrations)"

34
content/github/authenticating-to-github/keeping-your-account-and-data-secure/reviewing-your-authorized-integrations.md Normal file
View File

@@ -0,0 +1,34 @@
---
title: Reviewing your authorized integrations
intro: You can review your authorized integrations to audit the access that each integration has to your account and data.
redirect_from:
- /articles/reviewing-your-authorized-integrations
- /github/authenticating-to-github/reviewing-your-authorized-integrations
versions:
free-pro-team: '*'
enterprise-server: '*'
github-ae: '*'
topics:
- Identity
- Access management
---
### Reviewing your authorized {% data variables.product.prodname_oauth_app %}s
{% data reusables.user_settings.access_settings %}
{% data reusables.user_settings.access_applications %}
{% data reusables.user_settings.access_authorized_oauth_apps %}
{% data reusables.user_settings.review-oauth-apps %}
### Reviewing your authorized {% data variables.product.prodname_github_app %}s
{% data reusables.user_settings.access_settings %}
{% data reusables.user_settings.access_applications %}
3. Click the **Authorized {% data variables.product.prodname_github_app %}s** tab.
![Authorized {% data variables.product.prodname_github_app %}s tab](/assets/images/help/settings/settings-authorized-github-apps-tab.png)
3. Review the {% data variables.product.prodname_github_app %}s that have access to your account. For those that you don't recognize or that are out of date, click **Revoke**. To revoke all {% data variables.product.prodname_github_app %}s, click **Revoke all**.
![List of authorized {% data variables.product.prodname_github_app %}](/assets/images/help/settings/revoke-github-app.png)
### Further reading
{% if currentVersion == "free-pro-team@latest" %}
- "[About integrations](/articles/about-integrations)"{% endif %}
- "[Reviewing your authorized applications (OAuth)](/articles/reviewing-your-authorized-applications-oauth)"

22
content/github/authenticating-to-github/keeping-your-account-and-data-secure/reviewing-your-deploy-keys.md Normal file
View File

@@ -0,0 +1,22 @@
---
title: Reviewing your deploy keys
intro: You should review deploy keys to ensure that there aren't any unauthorized (or possibly compromised) keys. You can also approve existing deploy keys that are valid.
redirect_from:
- /articles/reviewing-your-deploy-keys
- /github/authenticating-to-github/reviewing-your-deploy-keys
versions:
free-pro-team: '*'
enterprise-server: '*'
github-ae: '*'
topics:
- Identity
- Access management
---
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
3. In the left sidebar, click **Deploy keys**.
![Deploy keys setting](/assets/images/help/settings/settings-sidebar-deploy-keys.png)
4. On the Deploy keys page, take note of the deploy keys associated with your account. For those that you don't recognize, or that are out-of-date, click **Delete**. If there are valid deploy keys you'd like to keep, click **Approve**.
![Deploy key list](/assets/images/help/settings/settings-deploy-key-review.png)
For more information, see "[Managing deploy keys](/guides/managing-deploy-keys)."

272
content/github/authenticating-to-github/keeping-your-account-and-data-secure/reviewing-your-security-log.md Normal file
View File

@@ -0,0 +1,272 @@
---
title: Reviewing your security log
intro: You can review the security log for your user account to better understand actions you've performed and actions others have performed that involve you.
miniTocMaxHeadingLevel: 4
redirect_from:
- /articles/reviewing-your-security-log
- /github/authenticating-to-github/reviewing-your-security-log
versions:
free-pro-team: '*'
enterprise-server: '*'
github-ae: '*'
topics:
- Identity
- Access management
---
### Accessing your security log
The security log lists all actions performed within the last 90 days{% if currentVersion ver_lt "enterprise-server@2.20" %}, up to 50{% endif %}.
{% data reusables.user_settings.access_settings %}
{% if currentVersion == "free-pro-team@latest" or currentVersion == "github-ae@latest" or currentVersion ver_gt "enterprise-server@2.19" %}
2. In the user settings sidebar, click **Security log**.
![Security log tab](/assets/images/help/settings/audit-log-tab.png)
{% else %}
{% data reusables.user_settings.security %}
3. Under "Security history," your log is displayed.
![Security log](/assets/images/help/settings/user_security_log.png)
4. Click on an entry to see more information about the event.
![Security log](/assets/images/help/settings/user_security_history_action.png)
{% endif %}
{% if currentVersion == "free-pro-team@latest" or currentVersion == "github-ae@latest" or currentVersion ver_gt "enterprise-server@2.19" %}
### Searching your security log
{% data reusables.audit_log.audit-log-search %}
#### Search based on the action performed
{% else %}
### Understanding events in your security log
{% endif %}
The events listed in your security log are triggered by your actions. Actions are grouped into the following categories:
| Category name | Description
|------------------|-------------------{% if currentVersion == "free-pro-team@latest" %}
| [`account_recovery_token`](#account_recovery_token-category-actions) | Contains all activities related to [adding a recovery token](/articles/configuring-two-factor-authentication-recovery-methods).
| [`billing`](#billing-category-actions) | Contains all activities related to your billing information.
| [`codespaces`](#codespaces-category-actions) | Contains all activities related to {% data variables.product.prodname_codespaces %}. For more information, see "[About {% data variables.product.prodname_codespaces %}](/github/developing-online-with-codespaces/about-codespaces)."
| [`marketplace_agreement_signature`](#marketplace_agreement_signature-category-actions) | Contains all activities related to signing the {% data variables.product.prodname_marketplace %} Developer Agreement.
| [`marketplace_listing`](#marketplace_listing-category-actions) | Contains all activities related to listing apps in {% data variables.product.prodname_marketplace %}.{% endif %}
| [`oauth_access`](#oauth_access-category-actions) | Contains all activities related to [{% data variables.product.prodname_oauth_app %}s](/articles/authorizing-oauth-apps) you've connected with.{% if currentVersion == "free-pro-team@latest" %}
| [`payment_method`](#payment_method-category-actions) | Contains all activities related to paying for your {% data variables.product.prodname_dotcom %} subscription.{% endif %}
| [`profile_picture`](#profile_picture-category-actions) | Contains all activities related to your profile picture.
| [`project`](#project-category-actions) | Contains all activities related to project boards.
| [`public_key`](#public_key-category-actions) | Contains all activities related to [your public SSH keys](/articles/adding-a-new-ssh-key-to-your-github-account).
| [`repo`](#repo-category-actions) | Contains all activities related to the repositories you own.{% if currentVersion == "free-pro-team@latest" %}
| [`sponsors`](#sponsors-category-actions) | Contains all events related to {% data variables.product.prodname_sponsors %} and sponsor buttons (see "[About {% data variables.product.prodname_sponsors %}](/sponsors/getting-started-with-github-sponsors/about-github-sponsors)" and "[Displaying a sponsor button in your repository](/articles/displaying-a-sponsor-button-in-your-repository)"){% endif %}{% if enterpriseServerVersions contains currentVersion or currentVersion == "github-ae@latest" %}
| [`team`](#team-category-actions) | Contains all activities related to teams you are a part of.{% endif %}{% if currentVersion != "github-ae@latest" %}
| [`two_factor_authentication`](#two_factor_authentication-category-actions) | Contains all activities related to [two-factor authentication](/articles/securing-your-account-with-two-factor-authentication-2fa).{% endif %}
| [`user`](#user-category-actions) | Contains all activities related to your account.
{% if currentVersion == "free-pro-team@latest" %}
### Exporting your security log
{% data reusables.audit_log.export-log %}
{% data reusables.audit_log.exported-log-keys-and-values %}
{% endif %}
### Security log actions
An overview of some of the most common actions that are recorded as events in the security log.
{% if currentVersion == "free-pro-team@latest" %}
#### `account_recovery_token` category actions
| Action | Description
|------------------|-------------------
| `confirm` | Triggered when you successfully [store a new token with a recovery provider](/articles/configuring-two-factor-authentication-recovery-methods).
| `recover` | Triggered when you successfully [redeem an account recovery token](/articles/recovering-your-account-if-you-lose-your-2fa-credentials).
| `recover_error` | Triggered when a token is used but {% data variables.product.prodname_dotcom %} is not able to validate it.
#### `billing` category actions
| Action | Description
|------------------|-------------------
| `change_billing_type` | Triggered when you [change how you pay](/articles/adding-or-editing-a-payment-method) for {% data variables.product.prodname_dotcom %}.
| `change_email` | Triggered when you [change your email address](/articles/changing-your-primary-email-address).
#### `codespaces` category actions
| Action | Description
|------------------|-------------------
| `create` | Triggered when you [create a codespace](/github/developing-online-with-codespaces/creating-a-codespace).
| `resume` | Triggered when you resume a suspended codespace.
| `delete` | Triggered when you [delete a codespace](/github/developing-online-with-codespaces/deleting-a-codespace).
| `manage_access_and_security` | Triggered when you update [the repositories a codespace has access to](/github/developing-online-with-codespaces/managing-access-and-security-for-codespaces).
| `trusted_repositories_access_update` | Triggered when you change your user account's [access and security setting for {% data variables.product.prodname_codespaces %}](/github/developing-online-with-codespaces/managing-access-and-security-for-codespaces).
#### `marketplace_agreement_signature` category actions
| Action | Description
|------------------|-------------------
| `create` | Triggered when you sign the {% data variables.product.prodname_marketplace %} Developer Agreement.
#### `marketplace_listing` category actions
| Action | Description
|------------------|-------------------
| `approve` | Triggered when your listing is approved for inclusion in {% data variables.product.prodname_marketplace %}.
| `create` | Triggered when you create a listing for your app in {% data variables.product.prodname_marketplace %}.
| `delist` | Triggered when your listing is removed from {% data variables.product.prodname_marketplace %}.
| `redraft` | Triggered when your listing is sent back to draft state.
| `reject` | Triggered when your listing is not accepted for inclusion in {% data variables.product.prodname_marketplace %}.
{% endif %}
#### `oauth_access` category actions
| Action | Description
|------------------|-------------------
| `create` | Triggered when you [grant access to an {% data variables.product.prodname_oauth_app %}](/articles/authorizing-oauth-apps).
| `destroy` | Triggered when you [revoke an {% data variables.product.prodname_oauth_app %}'s access to your account](/articles/reviewing-your-authorized-integrations).
{% if currentVersion == "free-pro-team@latest" %}
#### `payment_method` category actions
| Action | Description
|------------------|-------------------
| `clear` | Triggered when [a payment method](/articles/removing-a-payment-method) on file is removed.
| `create` | Triggered when a new payment method is added, such as a new credit card or PayPal account.
| `update` | Triggered when an existing payment method is updated.
{% endif %}
#### `profile_picture` category actions
| Action | Description
|------------------|-------------------
| `update` | Triggered when you [set or update your profile picture](/articles/setting-your-profile-picture/).
#### `project` category actions
| Action | Description
|--------------------|---------------------
| `access` | Triggered when a project board's visibility is changed.
| `create` | Triggered when a project board is created.
| `rename` | Triggered when a project board is renamed.
| `update` | Triggered when a project board is updated.
| `delete` | Triggered when a project board is deleted.
| `link` | Triggered when a repository is linked to a project board.
| `unlink` | Triggered when a repository is unlinked from a project board.
| `update_user_permission` | Triggered when an outside collaborator is added to or removed from a project board or has their permission level changed.
#### `public_key` category actions
| Action | Description
|------------------|-------------------
| `create` | Triggered when you [add a new public SSH key to your {% data variables.product.product_name %} account](/articles/adding-a-new-ssh-key-to-your-github-account).
| `delete` | Triggered when you [remove a public SSH key to your {% data variables.product.product_name %} account](/articles/reviewing-your-ssh-keys).
#### `repo` category actions
| Action | Description
|------------------|-------------------
| `access` | Triggered when you a repository you own is [switched from "private" to "public"](/articles/making-a-private-repository-public) (or vice versa).
| `add_member` | Triggered when a {% data variables.product.product_name %} user is {% if currentVersion == "free-pro-team@latest" %}[invited to have collaboration access](/articles/inviting-collaborators-to-a-personal-repository){% else %}[given collaboration access](/articles/inviting-collaborators-to-a-personal-repository){% endif %} to a repository.
| `add_topic` | Triggered when a repository owner [adds a topic](/articles/classifying-your-repository-with-topics) to a repository.
| `archived` | Triggered when a repository owner [archives a repository](/articles/about-archiving-repositories).{% if enterpriseServerVersions contains currentVersion %}
| `config.disable_anonymous_git_access` | Triggered when [anonymous Git read access is disabled](/enterprise/{{ currentVersion }}/user/articles/enabling-anonymous-git-read-access-for-a-repository) in a public repository.
| `config.enable_anonymous_git_access` | Triggered when [anonymous Git read access is enabled](/enterprise/{{ currentVersion }}/user/articles/enabling-anonymous-git-read-access-for-a-repository) in a public repository.
| `config.lock_anonymous_git_access` | Triggered when a repository's [anonymous Git read access setting is locked](/enterprise/{{ currentVersion }}/admin/guides/user-management/preventing-users-from-changing-anonymous-git-read-access).
| `config.unlock_anonymous_git_access` | Triggered when a repository's [anonymous Git read access setting is unlocked](/enterprise/{{ currentVersion }}/admin/guides/user-management/preventing-users-from-changing-anonymous-git-read-access).{% endif %}
| `create` | Triggered when [a new repository is created](/articles/creating-a-new-repository).
| `destroy` | Triggered when [a repository is deleted](/articles/deleting-a-repository).{% if currentVersion == "free-pro-team@latest" %}
| `disable` | Triggered when a repository is disabled (e.g., for [insufficient funds](/articles/unlocking-a-locked-account)).{% endif %}{% if currentVersion == "free-pro-team@latest" %}
| `enable` | Triggered when a repository is re-enabled.{% endif %}
| `remove_member` | Triggered when a {% data variables.product.product_name %} user is [removed from a repository as a collaborator](/articles/removing-a-collaborator-from-a-personal-repository).
| `remove_topic` | Triggered when a repository owner removes a topic from a repository.
| `rename` | Triggered when [a repository is renamed](/articles/renaming-a-repository).
| `transfer` | Triggered when [a repository is transferred](/articles/how-to-transfer-a-repository).
| `transfer_start` | Triggered when a repository transfer is about to occur.
| `unarchived` | Triggered when a repository owner unarchives a repository.
{% if currentVersion == "free-pro-team@latest" %}
#### `sponsors` category actions
| Action | Description
|------------------|-------------------
| `custom_amount_settings_change` | Triggered when you enable or disable custom amounts, or when you change the suggested custom amount (see "[Managing your sponsorship tiers](/github/supporting-the-open-source-community-with-github-sponsors/managing-your-sponsorship-tiers)")
| `repo_funding_links_file_action` | Triggered when you change the FUNDING file in your repository (see "[Displaying a sponsor button in your repository](/articles/displaying-a-sponsor-button-in-your-repository)")
| `sponsor_sponsorship_cancel` | Triggered when you cancel a sponsorship (see "[Downgrading a sponsorship](/articles/downgrading-a-sponsorship)")
| `sponsor_sponsorship_create` | Triggered when you sponsor an account (see "[Sponsoring an open source contributor](/sponsors/sponsoring-open-source-contributors/sponsoring-an-open-source-contributor)")
| `sponsor_sponsorship_preference_change` | Triggered when you change whether you receive email updates from a sponsored developer (see "[Managing your sponsorship](/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship)")
| `sponsor_sponsorship_tier_change` | Triggered when you upgrade or downgrade your sponsorship (see "[Upgrading a sponsorship](/articles/upgrading-a-sponsorship)" and "[Downgrading a sponsorship](/articles/downgrading-a-sponsorship)")
| `sponsored_developer_approve` | Triggered when your {% data variables.product.prodname_sponsors %} account is approved (see "[Setting up {% data variables.product.prodname_sponsors %} for your user account](/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-user-account)")
| `sponsored_developer_create` | Triggered when your {% data variables.product.prodname_sponsors %} account is created (see "[Setting up {% data variables.product.prodname_sponsors %} for your user account](/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-user-account)")
| `sponsored_developer_disable` | Triggered when your {% data variables.product.prodname_sponsors %} account is disabled
| `sponsored_developer_redraft` | Triggered when your {% data variables.product.prodname_sponsors %} account is returned to draft state from approved state
| `sponsored_developer_profile_update` | Triggered when you edit your sponsored developer profile (see "[Editing your profile details for {% data variables.product.prodname_sponsors %}](/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors)")
| `sponsored_developer_request_approval` | Triggered when you submit your application for {% data variables.product.prodname_sponsors %} for approval (see "[Setting up {% data variables.product.prodname_sponsors %} for your user account](/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-user-account)")
| `sponsored_developer_tier_description_update` | Triggered when you change the description for a sponsorship tier (see "[Managing your sponsorship tiers](/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers)")
| `sponsored_developer_update_newsletter_send` | Triggered when you send an email update to your sponsors (see "[Contacting your sponsors](/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors)")
| `waitlist_invite_sponsored_developer` | Triggered when you are invited to join {% data variables.product.prodname_sponsors %} from the waitlist (see "[Setting up {% data variables.product.prodname_sponsors %} for your user account](/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-user-account)")
| `waitlist_join` | Triggered when you join the waitlist to become a sponsored developer (see "[Setting up {% data variables.product.prodname_sponsors %} for your user account](/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-user-account)")
{% endif %}
{% if currentVersion == "free-pro-team@latest" %}
#### `successor_invitation` category actions
| Action | Description
|------------------|-------------------
| `accept` | Triggered when you accept a succession invitation (see "[Maintaining ownership continuity of your user account's repositories](/github/setting-up-and-managing-your-github-user-account/maintaining-ownership-continuity-of-your-user-accounts-repositories)")
| `cancel` | Triggered when you cancel a succession invitation (see "[Maintaining ownership continuity of your user account's repositories](/github/setting-up-and-managing-your-github-user-account/maintaining-ownership-continuity-of-your-user-accounts-repositories)")
| `create` | Triggered when you create a succession invitation (see "[Maintaining ownership continuity of your user account's repositories](/github/setting-up-and-managing-your-github-user-account/maintaining-ownership-continuity-of-your-user-accounts-repositories)")
| `decline` | Triggered when you decline a succession invitation (see "[Maintaining ownership continuity of your user account's repositories](/github/setting-up-and-managing-your-github-user-account/maintaining-ownership-continuity-of-your-user-accounts-repositories)")
| `revoke` | Triggered when you revoke a succession invitation (see "[Maintaining ownership continuity of your user account's repositories](/github/setting-up-and-managing-your-github-user-account/maintaining-ownership-continuity-of-your-user-accounts-repositories)")
{% endif %}
{% if enterpriseServerVersions contains currentVersion or currentVersion == "github-ae@latest" %}
#### `team` category actions
| Action | Description
|------------------|-------------------
| `add_member` | Triggered when a member of an organization you belong to [adds you to a team](/articles/adding-organization-members-to-a-team).
| `add_repository` | Triggered when a team you are a member of is given control of a repository.
| `create` | Triggered when a new team in an organization you belong to is created.
| `destroy` | Triggered when a team you are a member of is deleted from the organization.
| `remove_member` | Triggered when a member of an organization is [removed from a team](/articles/removing-organization-members-from-a-team) you are a member of.
| `remove_repository` | Triggered when a repository is no longer under a team's control.
{% endif %}
{% if currentVersion != "github-ae@latest" %}
#### `two_factor_authentication` category actions
| Action | Description
|------------------|-------------------
| `enabled` | Triggered when [two-factor authentication](/articles/securing-your-account-with-two-factor-authentication-2fa) is enabled.
| `disabled` | Triggered when two-factor authentication is disabled.
{% endif %}
#### `user` category actions
| Action | Description
|--------------------|---------------------
| `add_email` | Triggered when you {% if currentVersion != "github-ae@latest" %}[add a new email address](/articles/changing-your-primary-email-address){% else %}add a new email address{% endif %}.{% if currentVersion == "free-pro-team@latest" %}
| `codespaces_trusted_repo_access_granted` | Triggered when you [allow the codespaces you create for a repository to access other repositories owned by your user account](/github/developing-online-with-codespaces/managing-access-and-security-for-codespaces.
| `codespaces_trusted_repo_access_revoked` | Triggered when you [disallow the codespaces you create for a repository to access other repositories owned by your user account](/github/developing-online-with-codespaces/managing-access-and-security-for-codespaces. {% endif %}
| `create` | Triggered when you create a new user account.{% if currentVersion != "github-ae@latest" %}
| `change_password` | Triggered when you change your password.
| `forgot_password` | Triggered when you ask for [a password reset](/articles/how-can-i-reset-my-password).{% endif %}
| `hide_private_contributions_count` | Triggered when you [hide private contributions on your profile](/articles/publicizing-or-hiding-your-private-contributions-on-your-profile).
| `login` | Triggered when you log in to {% data variables.product.product_location %}.{% if currentVersion ver_gt "enterprise-server@2.22" or currentVersion == "github-ae@latest" %}
`mandatory_message_viewed` | Triggered when you view a mandatory message (see "[Customizing user messages](/admin/user-management/customizing-user-messages-for-your-enterprise)" for details) | {% endif %}
| `failed_login` | Triggered when you failed to log in successfully.
| `remove_email` | Triggered when you remove an email address.
| `rename` | Triggered when you rename your account.{% if currentVersion == "free-pro-team@latest" %}
| `report_content` | Triggered when you [report an issue or pull request, or a comment on an issue, pull request, or commit](/communities/maintaining-your-safety-on-github/reporting-abuse-or-spam).{% endif %}
| `show_private_contributions_count` | Triggered when you [publicize private contributions on your profile](/articles/publicizing-or-hiding-your-private-contributions-on-your-profile).{% if currentVersion != "github-ae@latest" %}
| `two_factor_requested` | Triggered when {% data variables.product.product_name %} asks you for [your two-factor authentication code](/articles/accessing-github-using-two-factor-authentication).{% endif %}
#### `user_status` category actions
| Action | Description
|--------------------|---------------------
| `update` | Triggered when you set or change the status on your profile. For more information, see "[Setting a status](/articles/personalizing-your-profile/#setting-a-status)."
| `destroy` | Triggered when you clear the status on your profile.

139
content/github/authenticating-to-github/keeping-your-account-and-data-secure/reviewing-your-ssh-keys.md Normal file
View File

@@ -0,0 +1,139 @@
---
title: Reviewing your SSH keys
intro: 'To keep your credentials secure, you should regularly audit your SSH keys, deploy keys, and review authorized applications that access your {% data variables.product.product_name %} account.'
redirect_from:
- /articles/keeping-your-application-access-tokens-safe/
- /articles/keeping-your-ssh-keys-and-application-access-tokens-safe/
- /articles/reviewing-your-ssh-keys
- /github/authenticating-to-github/reviewing-your-ssh-keys
versions:
free-pro-team: '*'
enterprise-server: '*'
github-ae: '*'
topics:
- Identity
- Access management
---
You can delete unauthorized (or possibly compromised) SSH keys to ensure that an attacker no longer has access to your repositories. You can also approve existing SSH keys that are valid.
{% mac %}
{% data reusables.user_settings.access_settings %}
{% data reusables.user_settings.ssh %}
3. On the SSH Settings page, take note of the SSH keys associated with your account. For those that you don't recognize, or that are out-of-date, click **Delete**. If there are valid SSH keys you'd like to keep, click **Approve**.
![SSH key list](/assets/images/help/settings/settings-ssh-key-review.png)
{% tip %}
**Note:** If you're auditing your SSH keys due to an unsuccessful Git operation, the unverified key that caused the [SSH key audit error](/articles/error-we-re-doing-an-ssh-key-audit) will be highlighted in the list of SSH keys.
{% endtip %}
4. Open Terminal.
5. {% data reusables.command_line.start_ssh_agent %}
6. Find and take a note of your public key fingerprint. {% if currentVersion ver_lt "enterprise-server@3.0" %}If you're using OpenSSH 6.7 or older:
```shell
$ ssh-add -l
> 2048 <em>a0:dd:42:3c:5a:9d:e4:2a:21:52:4e:78:07:6e:c8:4d</em> /Users/<em>USERNAME</em>/.ssh/id_rsa (RSA)
```
If you're using OpenSSH 6.8 or newer:
```shell
$ ssh-add -l -E md5
> 2048 <em>MD5:a0:dd:42:3c:5a:9d:e4:2a:21:52:4e:78:07:6e:c8:4d</em> /Users/<em>USERNAME</em>/.ssh/id_rsa (RSA)
```
{% else %}
```shell
$ ssh-add -l -E sha256
> 2048 <em>SHA256:274ffWxgaxq/tSINAykStUL7XWyRNcRTlcST1Ei7gBQ</em> /Users/<em>USERNAME</em>/.ssh/id_rsa (RSA)
```{% endif %}
7. The SSH keys on {% data variables.product.product_name %} *should* match the same keys on your computer.
{% endmac %}
{% windows %}
{% data reusables.user_settings.access_settings %}
{% data reusables.user_settings.ssh %}
3. On the SSH Settings page, take note of the SSH keys associated with your account. For those that you don't recognize, or that are out-of-date, click **Delete**. If there are valid SSH keys you'd like to keep, click **Approve**.
![SSH key list](/assets/images/help/settings/settings-ssh-key-review.png)
{% tip %}
**Note:** If you're auditing your SSH keys due to an unsuccessful Git operation, the unverified key that caused the [SSH key audit error](/articles/error-we-re-doing-an-ssh-key-audit) will be highlighted in the list of SSH keys.
{% endtip %}
4. Open Git Bash. If you're using Git Shell, which is included in {% data variables.product.prodname_desktop %}, open Git Shell and skip to step 6.
5. {% data reusables.desktop.windows_git_bash_turn_on_ssh_agent %}
{% data reusables.desktop.windows_git_for_windows_turn_on_ssh_agent %}
6. Find and take a note of your public key fingerprint. {% if currentVersion ver_lt "enterprise-server@3.0" %}If you're using OpenSSH 6.7 or older:
```shell
$ ssh-add -l
> 2048 <em>a0:dd:42:3c:5a:9d:e4:2a:21:52:4e:78:07:6e:c8:4d</em> /Users/<em>USERNAME</em>/.ssh/id_rsa (RSA)
```
If you're using OpenSSH 6.8 or newer:
```shell
$ ssh-add -l -E md5
> 2048 <em>MD5:a0:dd:42:3c:5a:9d:e4:2a:21:52:4e:78:07:6e:c8:4d</em> /Users/<em>USERNAME</em>/.ssh/id_rsa (RSA)
```
{% else %}
```shell
$ ssh-add -l -E sha256
> 2048 <em>SHA256:274ffWxgaxq/tSINAykStUL7XWyRNcRTlcST1Ei7gBQ</em> /Users/<em>USERNAME</em>/.ssh/id_rsa (RSA)
```{% endif %}
7. The SSH keys on {% data variables.product.product_name %} *should* match the same keys on your computer.
{% endwindows %}
{% linux %}
{% data reusables.user_settings.access_settings %}
{% data reusables.user_settings.ssh %}
3. On the SSH Settings page, take note of the SSH keys associated with your account. For those that you don't recognize, or that are out-of-date, click **Delete**. If there are valid SSH keys you'd like to keep, click **Approve**.
![SSH key list](/assets/images/help/settings/settings-ssh-key-review.png)
{% tip %}
**Note:** If you're auditing your SSH keys due to an unsuccessful Git operation, the unverified key that caused the [SSH key audit error](/articles/error-we-re-doing-an-ssh-key-audit) will be highlighted in the list of SSH keys.
{% endtip %}
4. Open Terminal.
5. {% data reusables.command_line.start_ssh_agent %}
6. Find and take a note of your public key fingerprint. {% if currentVersion ver_lt "enterprise-server@3.0" %}If you're using OpenSSH 6.7 or older:
```shell
$ ssh-add -l
> 2048 <em>a0:dd:42:3c:5a:9d:e4:2a:21:52:4e:78:07:6e:c8:4d</em> /Users/<em>USERNAME</em>/.ssh/id_rsa (RSA)
```
If you're using OpenSSH 6.8 or newer:
```shell
$ ssh-add -l -E md5
> 2048 <em>MD5:a0:dd:42:3c:5a:9d:e4:2a:21:52:4e:78:07:6e:c8:4d</em> /Users/<em>USERNAME</em>/.ssh/id_rsa (RSA)
```
{% else %}
```shell
$ ssh-add -l -E sha256
> 2048 <em>SHA256:274ffWxgaxq/tSINAykStUL7XWyRNcRTlcST1Ei7gBQ</em> /Users/<em>USERNAME</em>/.ssh/id_rsa (RSA)
```{% endif %}
7. The SSH keys on {% data variables.product.product_name %} *should* match the same keys on your computer.
{% endlinux %}
{% warning %}
**Warning**: If you see an SSH key you're not familiar with on {% data variables.product.product_name %}, delete it immediately and contact {% data variables.contact.contact_support %} for further help. An unidentified public key may indicate a possible security concern.
{% endwarning %}

20
content/github/authenticating-to-github/keeping-your-account-and-data-secure/sudo-mode.md Normal file
View File

@@ -0,0 +1,20 @@
---
title: Sudo mode
intro: '{% data variables.product.product_name %} asks you for your password before you can modify your email address, authorize third-party applications, or add new public keys, or initiate other *sudo-protected* actions.'
redirect_from:
- /articles/sudo-mode
- /github/authenticating-to-github/sudo-mode
versions:
free-pro-team: '*'
enterprise-server: '*'
topics:
- Identity
- Access management
---
After you've performed a sudo-protected action, you'll only be asked to re-authenticate again after a few hours of inactivity. Every sudo-protected action resets this timer.
![Sudo Mode Dialog](/assets/images/help/settings/sudo_mode_popup.png)
### Further reading
- [Unix `sudo` command](http://en.wikipedia.org/wiki/Sudo)

68
content/github/authenticating-to-github/keeping-your-account-and-data-secure/updating-your-github-access-credentials.md Normal file
View File

@@ -0,0 +1,68 @@
---
title: Updating your GitHub access credentials
intro: '{% data variables.product.product_name %} credentials include{% if currentVersion != "github-ae@latest" %} not only your password, but also{% endif %} the access tokens, SSH keys, and application API tokens you use to communicate with {% data variables.product.product_name %}. Should you have the need, you can reset all of these access credentials yourself.'
redirect_from:
- /articles/rolling-your-credentials/
- /articles/how-can-i-reset-my-password/
- /articles/updating-your-github-access-credentials
- /github/authenticating-to-github/updating-your-github-access-credentials
versions:
free-pro-team: '*'
enterprise-server: '*'
github-ae: '*'
topics:
- Identity
- Access management
---
{% if currentVersion != "github-ae@latest" %}
### Requesting a new password
1. To request a new password, visit {% if currentVersion == "free-pro-team@latest" %}https://{% data variables.product.product_url %}/password_reset{% else %}`https://{% data variables.product.product_url %}/password_reset`{% endif %}.
2. Enter the email address associated with your personal {% data variables.product.product_name %} account, then click **Send password reset email.** The email will be sent to the backup email address if you have one configured.
![Password reset email request dialog](/assets/images/help/settings/password-recovery-email-request.png)
3. We'll email you a link that will allow you to reset your password. You must click on this link within 3 hours of receiving the email. If you didn't receive an email from us, make sure to check your spam folder.
4. If you have enabled two-factor authentication, type your 2FA credentials or one of your 2FA recovery codes and click **Verify**.
![Two-factor authentication prompt](/assets/images/help/2fa/2fa-password-reset.png)
5. Type a new password, confirm your new password, and click **Change password**. For help creating a strong password, see "[Creating a strong password](/articles/creating-a-strong-password)."
{% if currentVersion == "free-pro-team@latest" %}![Password recovery box](/assets/images/help/settings/password-recovery-page.png){% else %}
![Password recovery box](/assets/images/enterprise/settings/password-recovery-page.png){% endif %}
{% tip %}
To avoid losing your password in the future, we suggest using a secure password manager, like [LastPass](https://lastpass.com/), [1Password](https://1password.com/), or [Keeper](https://keepersecurity.com/).
{% endtip %}
### Changing an existing password
{% data reusables.repositories.blocked-passwords %}
1. {% data variables.product.signin_link %} to {% data variables.product.product_name %}.
{% data reusables.user_settings.access_settings %}
{% data reusables.user_settings.security %}
4. Under "Change password", type your old password, a strong new password, and confirm your new password. For help creating a strong password, see "[Creating a strong password](/articles/creating-a-strong-password)"
5. Click **Update password**.
{% tip %}
For greater security, enable two-factor authentication in addition to changing your password. See [About two-factor authentication](/articles/about-two-factor-authentication) for more details.
{% endtip %}
{% endif %}
### Updating your access tokens
See "[Reviewing your authorized integrations](/articles/reviewing-your-authorized-integrations)" for instructions on reviewing and deleting access tokens. To generate new access tokens, see "[Creating a personal access token](/github/authenticating-to-github/creating-a-personal-access-token)."
### Updating your SSH keys
See "[Reviewing your SSH keys](/articles/reviewing-your-ssh-keys)" for instructions on reviewing and deleting SSH keys. To generate and add new SSH keys, see "[Generating an SSH key](/articles/generating-an-ssh-key)."
### Resetting API tokens
If you have any applications registered with {% data variables.product.product_name %}, you'll want to reset their OAuth tokens. For more information, see the "[Reset an authorization](/rest/reference/apps#reset-an-authorization)" endpoint.
{% if currentVersion != "github-ae@latest" %}
### Preventing unauthorized access
For more tips on securing your account and preventing unauthorized access, see "[Preventing unauthorized access](/articles/preventing-unauthorized-access)."
{% endif %}