Discourage/phase out using passwords for Git authentication

SSH keys are really what should be used, but they are only used by roughly 2/3 of people, with a few people even using both. Some of this is probably due to aggressive outbound firewalls, other IT policies, and SSH key forwarding being futzy. We can:

  • Document best practices.
  • Let people protect themselves: #1195982: Disable login to git with a password if you have an ssh public key, or maybe a configuration in the user profile for blocking Git password authentication.
  • Add a message to the Git daemon to let people know when password auth is used and link to documentation.
  • Wait and see if password use drops to a low-enough level.


Source: https://www.drupal.org/project/issues/rss/infrastructure