I need a lesson on gitlab security

James Browning jamesb192 at jamesb192.com
Sun Mar 15 11:42:05 UTC 2026 

> On 03/15/2026 2:58 AM PDT Hal Murray via devel <devel at ntpsec.org> wrote:
> 
>  
> Many years ago, I told gitlab my ssk public key and git push just worked.
> 
> A while ago, it started asking me for a password.  Annoying, but no big 
> deal since I don't push very often.  (There is a bug in the login popup.  
> Anybody know how to report things like that?  It wants a user name, but 
> the typin box says password.]
> 
> Now, when I try it, I get this error blurb:
> 
> remote: HTTP Basic: Access denied. If a password was provided for Git 
> authentication, the password was incorrect or you're required to use a 
> token instead of a password. If a token was provided, it was either 
> incorrect, expired, or improperly scoped. See https://gitlab.com/help/topic
> s/git/troubleshooting_git.md#error-on-git-fetch-http-basic-access-denied
> 
> I don't remember any announcement or discussion of this area.  Did I miss 
> something?  Can somebody give me quick lesson?
> 
> 
> Is there a flag I can set to go back to useing ssh rather than HTTP?
> 
> I don't know anything about tokens.  Is the token stuff the path of least 
> resistance?  Why do I want one and/or why are they better than passwords?

I would check in my ${ntpsec}/.git/config file expecting to
see the following; just as an example...

[remote "origin"]
        url = git at gitlab.com:NTPsec/ntpsec.git
        fetch = +refs/heads/master:refs/remotes/origin/master
[remote "jb192"]
        url = https://gitlab.com/jamesb_fe80/ntpsec.git
        pushUrl = git at gitlab.com:jamesb_fe80/ntpsec.git
        fetch = +refs/heads/*:refs/remotes/jb192/*

Given that I have not been able to push directly to
NTPsec/ntpsec this configuration makes sense for me.

For you, I would expect something more alonf the lines of:

[remote "origin"]
        url = https://gitlab.com/NTPsec/ntpsec.git
        pushUrl = git at gitlab.com:NTPsec/ntpsec.git
        fetch = +refs/heads/master:refs/remotes/origin/master

Of course the correct command to manipulate that would be
'git remote', not $EDITOR.

More information about the devel mailing list