Github doesn’t care about my real Identity

So few weeks ago my phone was running really slow and I decided to a factory reset and I use two factor for almost everything and I use it with authy but since I have an account with them I didn’t worry about the factory reset so I did it and then after installing authy I realize that last time I changed my master password to something really difficult and I didn’t remember and I couldn’t unlock my account so I was forced to create a new one and add each two factor back and everything went well except Github, they do not seemed to have a process to disable even though I have the password, I own the email and I have keys to some of the repos but not a master ssh key since I didn’t have one AND my profile picture is an actual real picture of myself that in a normal word everyone will recognize me as Jose if they see it but that doesn’t seem to work for my digital identity, so I decided to email support and this is the whole conversation with the ssh details  :

 

Hi there, Jose!

Oftentimes the quickest way to regain access to an account is by using the recovery codes we asked you to download when you enabled 2FA for your account. Even if you think you might not have them, it’s worth searching your computer just to be sure; you’d be surprised how often these turn up! They would have had the default filename github-recovery-codes.txt.

If you don’t have valid recovery codes, you can verify account ownership using an SSH key you have added to your account. To do this, please run the following command on the computer where your SSH key exists, and send us the full output:

<code> ssh -T <a href="mailto:[email protected]" target="_blank">git@<span class="lG">github</span>.com</a> verify 
</code>

If you can verify account ownership, we can disable 2FA on your account so you can sign in again.

Please let me know if there is anything else I can assist you with!

Best,
Kimmy

me to Kimmy

13 Jul

I run the command but even though I got autenticated I got :
debug1: Host ‘github.com‘ is known and matches the RSA host key.
debug1: Found key in /home/jamengual/.ssh/known_hosts:323
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/jamengual/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: [email protected]
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: [email protected]
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentication succeeded (publickey).
Authenticated to github.com ([192.30.253.112]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
debug1: Sending environment.
debug1: Sending env LANG = en_CA.UTF-8
debug1: Sending command: verify
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
Please provide the following verification token to GitHub Support.
Error generating token.
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 3324, received 1832 bytes, in 0.2 seconds
Bytes per second: sent 14284.2, received 7872.7
debug1: Exit status 1
no code generated for me…..:)
me to Kimmy

14 Jul

Hi.
Is there another way to resolve this ?
As you can see I have the key and I get authenticated but somehow I don’t get the code.
Thanks.
Justin McCormick (GitHub Staff) to me

15 Jul

Hi Jose,

It looks as though you might be using your public key to authenticate, rather than the private key. Can I have you run a slightly different version of that command? This should provide a bit of additional information:

<code> ssh -vvT <a href="mailto:[email protected]" target="_blank">git@<span class="lG">github</span>.com</a>
</code>

Please copy and paste the output of that into your reply, and we’ll have a look to see what we can do to get a more favorable result.

Best,
Justin

me to Justin

20 Jul

here it is :
[email protected]:~$ ssh -vvT git@github.com
OpenSSH_7.2p2 Ubuntu-4ubuntu1, OpenSSL 1.0.2g-fips  1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving “github.com” port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to github.com [192.30.253.112] port 22.
debug1: Connection established.

debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2968, received 1820 bytes, in 0.2 seconds
Bytes per second: sent 18720.8, received 11479.8
debug1: Exit status 1
Thanks.
Justin McCormick (GitHub Staff) to me

21 Jul

Hi Jose,

Thanks for sending that over. Unfortunately, it looks as though the key being used to generate that token is one associated with a specific repository. We would need one of your user account’s SSH keys to generate the token required to disable two-factor authentication, however.

Do you happen to have any backups that might have this key? If it helps, that used most recently has the name “dropsafe”.

Best,
Justin

me to Justin

27 Jul

Hi.
I found a backup of my key and I run the command :
ssh -i jamengual  git@github.com verify
Please provide the following verification token to GitHub Support.
Error generating token.
debug2: key: [email protected] (0x55cb183f3f30), agent
debug2: key: [email protected] (0x55cb183f22a0), agent
debug2: key: [email protected] (0x55cb183f2690), agent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: jamengual
Transferred: sent 3316, received 1848 bytes, in 0.1 seconds
Bytes per second: sent 22372.8, received 12468.3
debug1: Exit status 1
is it better now ?
Thanks.
Justin McCormick (GitHub Staff) to meShow more

27 Jul

Hi Jose,

Unfortunately, it looks as though that’s not the key we’re after. You’ll note in the output you received, you were authenticated as jamengual/sensu-opsworks:

Hi

jamengual/sensu-opsworks! You’ve successfully authenticated, but GitHub does not provide shell access.

This would indicate that a deploy key is being used, rather than a key associated with your GitHub account. I’m afraid we’re not able to use a deploy key for disabling two-factor authentication, as these keys are more frequently shared.

If you’d like me to remove your email address from the account, you can then use it to register for a new username. While I know that’s far from ideal, I do hope it helps.

Best,
Justin

me to Justin

27 Jul

So there is no way to reinstall or send a code to the phone on SMS to recover the two factor somehow ?

This is pretty bad…
me to Justin

27 Jul

If there like a form I can fill up and send a copy of my driver license or something ? I need to find another way
Kimmy (GitHub Staff) to me

28 Jul

Hi there, Jose-

I’m sorry to say that, since we don’t collect any physical forms of identification at the time you set up an account, it’s not possible for us to use those as comparisons for verifying identity or account ownership after the fact.

We really can only accept the methods mentioned earlier:

Codes generated by a TOTP application
Recovery codes
Codes delivered to you via SMS
FIDO U2F security keys
a valid SSH verification token

Unfortunately, your account either wasn’t configured to use these, or they’re no longer available to you. We certainly wish there was more we could do to help. Without one of the verification methods above, we cannot disable two-factor authentication for the account.

If you’d like your email address removed so you can use it to register for a new account, do let us know.

Best,
Kimmy

me to Kimmy

Show more

28 Jul

Hi.

I know this is all company policy but I will like you to tell me the name of your manager and his phone number to call him/her,  this has nothing to do with your excellent support and willing to help but on the fact that I need to recover my account.

My account has a profile picture that is basically how people recognize me so I could be recognized by anyone so it will be hard for me to believe that I can’t prove that I’m the guy in the picture and owner of the account that is requesting the two factor to be removed.

There is always another way and other companies do have ways to resolve this problem so it is hard to believe that you can delete my email from my account to sign up for another account and not to disable the two factor authentication in the former?  That sounds inconsistent.

Please let me talk to someone on the phone so we can avoid this back and forth and get recognized as the owner and get my repos back.

Thanks.

Nadia J (GitHub Staff) to me
28 Jul

 

Hi Jose,

My name is Nadia, and Kimmy forwarded your message on to me. We don’t have phone support at this time, but I’m happy to correspond with you here in email.

My account has a profile picture that is basically how people recognize me

Unfortunately, things like pictures, other account references, or other social identifiers are too easily come by and are not acceptable forms of verification for two-factor authentication onGitHub.com accounts.

There is always another way and other companies do have ways to resolve
this problem so it is hard to believe that you can delete my email from my
account to sign up for another account and not to disable the two factor
authentication in the former? That sounds inconsistent.

We do have multiple fallback options in place when it comes to two-factor authentication, should you ever lose your primary two-factor authentication method. As Kimmy listed previously, those are:

  • Recovery codes
  • Codes delivered to you via SMS to a fallback number
  • FIDO U2F security keys
  • a valid SSH verification token
We are able to remove your email address from the account, because we can see which email you’re currently writing from, which confirms your access to that email address. However, it does not fully confirm your ownership of the account, because the verified email address only serves as one verification factor. Having two-factor authentication enabled obligates us to obtain a second acceptable form of verification (those listed above) before making any changes to the account that would result in access to it (like disabling two-factor authentication). Since we’ve been unable to obtain any of the above acceptable methods of two-factor authentication, I’m afraid we are not able to disable two-factor authentication on the account.

I recommend creating a new user account and forking or pushing any of your existing projects there. Apologies for the inconvenience, however I hope you can understand our need for user security when two-factor authentication is enabled.

If you would like us to unlink your email address from your account so you can use your email address with your new account, please let us know.

Best,
Nadia

4
me to Nadia

29 Jul

Like I said before, there has to be a balance between my virtual identity, security of my account and the real person behind it that you guys do not have and that upsets me.

I work at a big company we have a big github enterprise account and have my keys setup using the same username, same picture profile and same ssh keys but of course I can ask the admins to delete my two factor at any time because we have a flexible system of validating identity that the free version of github doesn’t have it.
I can even send you my credit card bill with github charges when I used to have private repos and even all ,y credit card information that for many other companies will be enough information to validate identity but I will guess that you guys will say that is not enough.
I have a similar problem with an Stock account few month ago that is a high security PCI system and I was able to validate my identity with a bit of paperwork but yet again you guys do not have that procedure in place.
I can keep going on and on on giving you examples but it seems that github believes more to the virtual user than the real user behind the account.
Kimmy (GitHub Staff)

to me 1 Aug

 

Hi there, Jose,

I can keep going on and on on giving you examples but it seems that github
believes more to the virtual user than the real user behind the account.

You are correct, due to the type of information that we gather from users at the time of account creation we can’t utilize any forms of non-virtual documentation to verify an owner’s account. We appreciate your feedback about this issue and we will share it with the appropriate team.

However, at this time, this is something we simply can’t be flexible on as we work to protect a user from unauthorized access.

If you would like to have us remove your email address from the account we would be happy to do so, just let us know.

Best,
Kimmy

 

So I know I made mistakes on not setting the SMS recovery and saving the recovery codes in a safe place but, there should be a balance between me as a person and my digital identity that should never be more important than the real thing.

Does anyone have the same problem ?

What do you think ?

Thanks.

Share it please.

Posted in Net stuff Tagged with: , , ,

How to Build nginx 1.4.1 and ngx_pagespeed in Ubuntu/Debian

Create a directory to download necessary packages (optional) :

mkdir pagespeed; cd pagespeed

Make sure that you have latest version of nginx, I recommend using nginx repo.

To add nginx repo :

wget http://nginx.org/keys/nginx_signing.key
sudo apt-key add nginx_signing.key

Add this lines to /etc/apt/sources.list file:

deb http://nginx.org/packages/debian/ codename nginx (for 12.04 codename is squeeze)
deb-src http://nginx.org/packages/debian/ codename nginx

Download nginx sources and build packages :

sudo apt-get update
sudo apt-get install dpkg-dev
sudo apt-get source nginx

Build nginx deps :

sudo apt-get build-dep nginx

Make sure you have this ngx_pagespeed requirements :

sudo apt-get install build-essential zlib1g-dev libpcre3 libpcre3-dev

Download ngx_pagespeed git repo :


wget https://github.com/pagespeed/ngx_pagespeed/archive/release-1.5.27.3-beta.zip
unzip release-1.5.27.3-beta.zip
cd ngx_pagespeed-release-1.5.27.3-beta
wget https://dl.google.com/dl/page-speed/psol/1.5.27.3.tar.gz
tar xzvf 1.5.27.3.tar.gz
cd ..

Update : Before I was using git clone but is not a good idea since master brach keeps changing and can brake things.

Edit build rules for nginx 1.4.1 package :

vim nginx-1.4.1/debian/rules

and add :

--add-module=../ngx_pagespeed-release-1.5.27.3-beta

it will look like this :

...
--with-file-aio \
--add-module=../ngx_pagespeed-release-1.5.27.3-beta \
<em id="__mceDel">$(WITH_SPDY) \
--with-ipv6
...


Build nginx 1.4.0 debian package with pagespeed module :

cd nginx-1.4.1/ && dpkg-buildpackage -b

Install new nginx deb package:

cd .. && dpkg --install nginx_1.4.1-1~squeeze_amd64.deb

Note: If you have nginx installed you will need to remove it and then reinstall the new package ( do not use –purge options otherwise you will delete all your config files)

Add this lines to /etc/nginx.conf to test if pagespeed works :

...
http {
pagespeed on;
pagespeed FileCachePath /var/ngx_pagespeed_cache;
...

Create pagespeed cache directory and change permissions :

mkdir /var/ngx_pagespeed_cache
chown -R www-data:www-data /var/ngx_pagespeed_cache

Reload nginx :

nginx -s reload

Test if pagespeed is working :

curl -I -p http://localhost:8080/index.php|grep X-Page-Speed

Note: make sure to use the correct url

you should see :

X-Page-Speed: 1.5.27.3-xxxx

Any feedback on this instructions is welcome

For More detailed information please read :

https://github.com/pagespeed/ngx_pagespeed
http://nginx.org/en/linux_packages.html#stable

Note :This process could be used to build basically any module for nginx that is not on the nginx-full or default dedian package

Posted in Web Performance Tagged with: , , , ,
%d bloggers like this: