Enhancing Security on the Hugging Face Hub: Transitioning from Passwords to Token-Based and SSH Key Authentication
As part of our ongoing commitment to improving the security of the Hugging Face Hub, we are excited to announce a significant change in how users authenticate their command-line Git operations. Starting October 1st, 2023, passwords will no longer be accepted for Git authentication. Instead, we encourage users to adopt more secure methods, such as personal access tokens or SSH keys. This article will provide you with all the essential information you need to make a seamless transition.
Background
In recent months, we have rolled out several security enhancements aimed at protecting our users’ accounts. These improvements include sign-in alerts and support for SSH keys in Git operations. While these measures have bolstered security, users have still been able to authenticate using their usernames and passwords, which presents potential vulnerabilities. To further mitigate risks, we are transitioning to token-based or SSH key authentication.
Utilizing personal access tokens or SSH keys offers numerous advantages over traditional password authentication. These methods provide unique, revocable, and randomized features that significantly enhance security and control over account access. By making this shift, we aim to create a safer and more reliable experience for all users on the Hugging Face Hub.
Action Required Today
If you currently rely on your Hugging Face account password to authenticate with Git, it’s crucial to switch to a personal access token or SSH keys before the October 1st, 2023 deadline. This proactive step will ensure that you can continue to access your repositories without interruption.
Switching to Personal Access Tokens
To start using a personal access token, you will first need to generate one for your Hugging Face account. You can follow the guidelines provided in our documentation on generating user access tokens.
Once you have generated your access token, updating your Git repository is straightforward. Use the following commands to set your remote URL:
$: git remote set-url origin https://<user_name>:<token>@huggingface.co/<repo_path>
$: git pull origin <repo_path>Here, replace <user_name> with your Hugging Face username and <token> with your newly generated access token. The <repo_path> should be specified in one of the following formats:
<user_name>/<repo_name>for modelsdatasets/<user_name>/<repo_name>for datasetsspaces/<user_name>/<repo_name>for Spaces
If you’re cloning a new repository, simply enter your access token in place of your password when prompted by your Git credential manager.
Switching to SSH Keys
Alternatively, switching to SSH keys is another robust option for secure authentication. For detailed instructions on generating an SSH key and adding it to your account, please refer to our guide on using SSH with Git.
Once your SSH key is set up, you can update your Git repository with the following command:
$: git remote set-url origin git@hf.co:<repo_path>This method provides a secure and efficient way to authenticate without needing to input a password.
Timeline
To keep you informed about the transition, here’s a brief timeline of what to expect in the coming weeks:
- Today: Users who are still relying on passwords for Git authentication may receive emails reminding them to update their authentication methods.
- October 1st: Personal access tokens or SSH keys will become mandatory for all Git operations.
If you have any questions or concerns regarding this transition, please reach out to Hugging Face Support at website@huggingface.co. We’re here to help you navigate this important change and ensure a secure experience on the Hugging Face Hub.
By taking these steps to enhance your account security, you contribute to making the Hugging Face community a safer place for everyone.
Inspired by: Source
