While going through the post on cloning in GitHub, I realised that to clone the repository, a link was used which appears when we press the Clone or download button. But, observing closely you might have noticed the caption of the popup. For those who missed it, let me show it. The pop-up after pressing the button looked like this for the repository ToolsQA.
There are two options to clone as can be seen in the image.
- Cloning a GitHub repository with HTTPS.
- Clone a GitHub repository using SSH.
In the same post, I mentioned that the use of ssh will be done in the later tutorials. Well, the time has come. SSH and HTTPS are the two ways to clone a repository on GitHub. In general, SSH and HTTPS are the two major types of protocols to use for internet communication all over the world. While HTTPS is a straightforward way, SSH contains some setup overhead. But, they both have their own advantages and disadvantages. This post is dedicated to that. In the end, only you are to decide what seems good to you. Before discussing how to set up and use ssh for cloning and pushing the changes or performing any other operations, let see a brief introduction to HTTPS.
HTTPS Cloning in GitHub
HTTPS is a secure communication protocol. Through HTTPS, one can perform communication over the network between any two machines whether they are server or client or both. They should be just connected to the internet. HTTPS is a secure version of HTTP. HTTPS ensures safety by encrypting the data using the transport layer of the network the user is using. HTTPS has gained a lot of fame since its introduction and is used heavily on the websites. While pressing the clone button in GitHub opens up the HTTPS link, it is quite understood that GitHub prefers HTTPS over SSH. But, this cannot and should not be claimed although there have been some indications in the past.
Does GitHub recommend using HTTPS?
Long back, the following link about generating ssh keys on GitHub used to state and I quote, If you have decided not to use the recommended HTTPS method, we can use SSH keys to establish a secure connection between your computer and GitHub. The steps below will walk you through generating an SSH key and then adding the public key to your GitHub account. This is around the time when GitHub was launched and new to the world. They changed their recommendation statement to SSH stating on the same page as, We strongly recommend using an SSH connection when interacting with GitHub and at the current time, they are unbiased and removed the word “recommendation”. Since the button defaults to HTTPS link whereas SSH is much secure, this question remains unanswered.
How to use HTTPS for cloning in GitHub?
Once the user presses the clone or download button, GitHub will show the popup with the HTTPS URL link automatically. Each and every step that has been performed in the post how to clone in GitHub directly points to how to clone in GitHub using HTTPS. You can revisit the post to learn how to clone using HTTPS.
Advantages of using HTTPS in cloning
Using HTTPS has some of its own advantages:
- Easy to Use: HTTPS is easy to use. This was the main reason GitHub recommended it in the first place. To use HTTPS, the user has to just copy the URL and run the git clone command in the Git to clone the repository. It is easier and convenient to use for a user, especially for a beginner.
- Lesser Firewall Restriction: HTTPS has very less firewall restriction. If you are using HTTPS, it is very unlikely that the communication will be blocked by a firewall. HTTPS communication is used by every repository private or public and works even if you are using a proxy server.
Disadvantages of Using HTTPS in GitHub
HTTPS contains a couple of disadvantages too:
- Repetitive Authentication: Whenever the user performs the network-based communication of any type such as pushing the changes to the repository or pulling the changes, every time they need to enter the credentials to authenticate their actions. Since these actions happen many times in a day, the user sometimes gets irritated by repetitive prompt and entering the credentials.
- Configuring Credentials Manager: To avoid the above headache, some people install credentials managers or keychain to automatically fill the credentials and configure that to the terminal. But, in this method, if the user has to change the password, they have to go configure everything again from the start which is a pain in itself. Fortunately, SSH saves us from all of this.
What is SSH in Git?
SSH or Secure Shell is a cryptographic network protocol used for communicating over the network. Since there is no reliability on the network (especially the untrusted ones), SSH provides a safe and secure way to communicate. The usage of SSH has increased a lot over the time and it mainly includes remote command line use and remote login through which the user can log in to their account remotely and execute commands too. Although it is not just confined to this and the applications are huge in today’s interconnected world. In the later tutorials, making the use of the same application, we will authenticate to our GitHub repository through SSH client service. But first, let’s see the pros of using SSH:
Why SSH is preferred over HTTPS in Git?
In the above section about HTTPS being preferred, we talked with the perspective of the GitHub. Since they mentioned it on the website, it indicated that they preferred it a long time back. In this section, we will explore some pros of using SSH instead of HTTPS in Git.
- No Repetitive Authentication: Replacing HTTPS with SSH will remove the burden of authenticating on the remote server repeatedly for every action that you do. It is one of the major reasons developers prefer SSH over HTTPS.
- Saves Time: Using SSH saves a lot of time since the user does not enter credentials every time.
- Secure: SSH keys are more secure than any password you would think of. With millions and trillions of permutations, it is impossible to crack the SSH key. It is very safe to use SSH.
Disadvantages of Using SSH
Although SSH boasts so many pros, it also contains a big disadvantage which in my personal opinion can be ignored since it is just one-time pain.
- Set-Up Cost: The set-up cost for using SSH authentication is huge. It is a little complicated and time-consuming. But, it is just a one-time set-up and once the user is all set, there is no need to set this up every time.
- Firewall restrictions: SSH communication is restricted by the firewalls many times. A proxy server may also reject the communication via SSH network. These networks may include college or organisation networks which have some strict rules regarding communication over the internet.
This amount of knowledge is sufficient for us to understand why to use SSH instead of the conventional HTTPS which by the way is used by many developers even today. It should be remembered that the user should use SSH only on those computers that they use on a regular basis. While we will set up the SSH authentication in the following tutorial, it is important to know two basic concepts that we will encounter. These are the heart of SSH protocol and we will be setting them up in the next tutorial. When we use SSH for authentication, we generate two types of keys:
- Private Keys.
- Public Keys.
These are explained in the below section.
Private and Public Keys in Cryptography
Private and public keys are not confined to SSH. They are a cryptographic element and SSH being a cryptographic protocol implements them. In this section, we will briefly see what are public and private keys in cryptography.
Private Keys in Cryptography
As mentioned above, the user generates two types of keys while communicating with other people over the internet. Out of those two keys, the user keeps one with themselves and do not share with anybody. This key is the private key of the SSH protocol. For the security purposes and to increase the permutations of guesses that a hacker can make, this key is generally very long. It can be as long as 1024 or 2048 bits. A private key is used for decrypting the data being sent. If the private key is lost, the data would remain decrypted forever.
Public Keys in Cryptography
The other key that the user generates is the public key. The public key is shared with everyone and through public key only, a user will encrypt the data they are trying to send. On the other end, the receiver will decrypt the data with the private key. The data is decrypted if and only if the public key is of the same person to which you sent the data. Once decrypted, the user can be assured that the data has been sent by the correct person and the sender can be assured that the data has been decrypted by the correct person.
Along with the HTTPS and SSH protocols, private and public keys are very important in cryptography. While authenticating through SSH, we will be generating both of them and authenticate our actions using them. In the next tutorial, we will set up SSH authentication and will try to push some changes through SSH.