Many JupyterHub users want to push and pull their content from GitHub in order to collaborate and share their work. However, working on a JupyterHub means working on shared infrastructure, not your own laptop, and this poses some extra security risks that have made two-way sync with GitHub more difficult. This post describes gh-scoped-creds, a new tool to make it quick and easy to authorize a JupyterHub session with push access to GitHub in a secure and simple manner.

GitHub user credentials are high value targets for cybercriminals in today’s security environment, and any system that stores these credentials long term paints an unwanted target on itself. Current solutions — putting an ssh key on the JupyterHub, using a personal access token or deploy keys — involve storing long term valid GitHub credentials in the filesystem. As users can do this by themselves without admin intervention, admins often are not aware these (often unencrypted) credentials are on their filesystems. If an attacker compromises an ssh key or a personal access token, they have unlimited access to all GitHub repos the compromised user had access to, including repos in high-impact GitHub organizations. In the recent credential theft incident, Travis-CI and Heroku were ‘lucky’ in that the attackers accessed npm infrastructure — and since npm is owned by GitHub, GitHub was able to detect that Travis CI and Heroku had compromised credentials. You and the users of repositories you have rights to might not be so lucky. It’s 2022, and supply chain attacks are everywhere — you aren’t special, you’re just one link in a long chain attackers use to get to someone else.

There is a clear need for a simple solution that lets users push to GitHub from JupyterHub in a secure manner without admins having to worry about securing high-value GitHub credentials long term. It is not acceptable to “Just Say No” to users wanting this functionality either — if you try to ‘sacrifice’ usability for security, you end up getting neither.

gh-scoped-creds attempts to solve this problem by allowing users to grant time-limited push access to specific repositories to specific JupyterHub installations in a user friendly way.

Here’s a quick GIF running through the user workflow.

Push access is scoped both by time (credentials expire after 8 hours) as well as repository (access is granted per-repository, per-hub). While you need to refresh credentials every 8 hours, the list of repositories is remembered until you explicitly revoke access. You can always grant access to your own personal repositories, but repositories belonging to organisations might require admins to approve push access to them.

You can also run the command from the terminal as gh-scoped-creds instead of using the IPython magic %ghscopedcreds as shown in the demo. This way, you can also use this from a HPC system, not just a JupyterHub!

Setting this up for your JupyterHub requires a tiny bit of work from the admin — see the project README for more details. Shouldn’t take long, and it’s a one-time task. Once that’s set up, your users can securely push to GitHub from the comfort of their JupyterHubs!

Thanks to Fernando Perez for using his stat159 class at UC Berkeley to test this project out.