Search code examples
gitsslgithubhttpsaccess-token

Cloning a git repository with sslVerify=false using a personal access token

I'm trying the following command:

git -c http.sslVerify=false clone https://<github_username>:<personal_access_token>@140.82.121.4/<path/to/repo>

Where 140.82.121.4 is the IP address of github.com. The result is:

Cloning into '<repo_name>'...
remote: Repository not found.
fatal: Authentication failed for 'https://140.82.121.4/<path/to/repo>/'

If I'm executing the same thing but with github's domain name then it works:

git -c http.sslVerify=false clone https://<github_username>:<personal_access_token>@github.com/<path/to/repo>

It also works with github's IP and a direct access (not with a personal access token):

git -c http.sslVerify=false clone https://140.82.121.4/<path/to/repo>

Any idea how to make it work with the IP and personal access token?

P.S: I know that setting http.sslVerify=false is unsafe but I still need it for my use-case. The goal is to be able to access an on-prem git server (let's say github) that doesn't have a domain name, that's why I need it to work with an IP address.

Thank you!

Solution

  • You cannot rely on cloning a repository using GitHub (that is, github.com) using just a plain IP address; it simply isn't guaranteed to work. That's because when you use a domain name for HTTP or HTTPS, it connects to the IP address and sends the domain name in the Host header. This domain name is used to route the data to the proper service, since GitHub hosts many services through the same IP addresses. For example, gist.github.com and github.com share the same IPs and can only be distinguished in this way.

    You should also not hard-code IP addresses for GitHub or other services in your hosts file because they can and do change and if you do so anyway you may find that you can no longer access those services at all.

    If your on-premises server is a GitHub Enterprise Server instance, you may be able to use a hard-coded IP address and a personal access token, but in general using a hard-coded IP address is a bad idea, and you should avoid it in favor of specifying a domain name. If you try to clone using an IP address and that address changes, everybody's remotes for every repository will need to change and all your users will be angry at you. You can still do it for a GHES instance if you really want to, but not for github.com.

    Since you're going to be responsible and kind to your users and set up a domain name, you should also be responsible and set up a publicly trusted certificate as well. As I'm sure you're aware, turning off TLS verification provides no protection against an active attacker and allows anybody who wants to read and modify all of your data.