[Architecture] GitHub - Restricting third-party application access

Javier Hernandez javi at raisingthefloor.org
Mon Sep 11 15:38:44 UTC 2017


Hey there,

by following Gio's recommendation, I've just enabled the "Third-party
application access" restrictions in the GPII organization.

As a heads up, this change has immediately blocked all unapproved
applications and *disabled SSH keys created before February 2014*.

This means that if your SSH key was added before February 2014, you have to
approve that key in order to restore git access to the GPII organization.
You will notice this when trying to push to any repository from the GPII
organization, you will see a message like this:

*ERROR: Sorry, but @GPII has blocked access to SSH keys created by some
third-party applications. Your key was created before GitHub tracked keys
created by applications, so we need your help.*

*If you personally created this key, you can approve it at:*

*  https://github.com/settings/ssh/audit/xxxxxxx/policy
<https://github.com/settings/ssh/audit/xxxxxxx/policy>*

*Otherwise, please upload a new key:*

*  https://github.com/settings/keys <https://github.com/settings/keys>*

*Fingerprint: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx*

*[EPOLICYKEYAGE]*

*fatal: Could not read from remote repository.*

*Please make sure you have the correct access rights*
*and the repository exists.*

I assume that this applies to fluid-project as well. Fixing this is as
simple as browsing to *https://github.com/settings/ssh/audit/xxxxxxx/policy
<https://github.com/settings/ssh/audit/xxxxxxx/policy> *and approve your
key as suggested in the error message.

Let us know if you find any other abnormal behavior that can be caused by
this change.

Best regards,
Javi

On Mon, Sep 11, 2017 at 4:21 PM, Justin Obara <obara.justin at gmail.com>
wrote:

> Hi Gio,
>
> I’ve updated fluid-project per your request. fluid-lab seems to already
> have restrictions enabled, probably because it was created recently.
>
> ( See discussion in fluid-work IRC channel, https://botbot.me/
> freenode/fluid-work/2017-09-11/?msg=90950577&page=1 ).
>
> Thanks
> Justin
>
>
> On September 8, 2017 at 10:15:17 AM, Tirloni, Giovanni (gtirloni at ocadu.ca)
> wrote:
>
> Hello,
>
> Whenever I try to use some application that is integrated with GitHub, it
> asks for authorization to use my account.
>
> However, not only it's granted access to my account, it's also granted
> access to all organizations I belong to.
>
> This is a bit scary because, if I'm testing some unknown app, I don't want
> it with full admin or write access to GPII or the fluid-project
> organizations.
>
> The way to ensure our most important organizations aren't automatically
> authorized is to enable "Third-party application access" restrictions on
> them. Once this is enabled, users have to be explicit and request access to
> that organization separately.
>
> * To enable this, go to the organization > Settings > Third-party access >
> Enable restrictions
>
> I'd like to suggest we enable this. It'll make things safer for our main
> project and let users experiment with 3rd-party apps without worrying too
> much.
>
> Regards,
> Giovanni
> _______________________________________________
> Architecture mailing list
> Architecture at lists.inclusivedesign.ca
> https://lists.inclusivedesign.ca/mailman/listinfo/architecture
>
>
> _______________________________________________________
> fluid-work mailing list - fluid-work at lists.inclusivedesign.ca
> To unsubscribe, change settings or access archives,
> see https://lists.inclusivedesign.ca/mailman/listinfo/fluid-work
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.idrc.ocad.ca/pipermail/fluid-work/attachments/20170911/fbd50653/attachment.htm>


More information about the fluid-work mailing list