SSH 密钥与用于 git 身份验证的令牌有何不同?

In what ways is an SSH Key different from tokens for git authentication?

我最近开始收到有关 GitHub 弃用使用密码 Git 的基本身份验证的通知 - 查看他们的博客 post https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/.

在这个 post 中,他们说了以下内容:

For developers, if you are using a password to authenticate Git operations with GitHub.com today, you must begin using a personal access token over HTTPS (recommended) or SSH key by August 13, 2021, to avoid disruption.

不久前,我开始在我使用的一些机器上使用 SSH 密钥,以避免经常输入我的密码或使用凭据帮助程序以未加密的方式存储它。但是,如上所述,他们说个人访问令牌是“推荐的”。

我想知道这些方法之间的主要区别是什么?这是为了深入了解为什么“推荐”令牌以及是否值得切换到这种身份验证方法。

来自the blog post you linked, I can see at least one benefit of tokens over SSH keys: while tokens and SSH keys both share the Unique, Revocable, and Random benefits quoted in the blog post below, tokens are also Limited in comparison to SSH keys in that they come with their own scoped permissions baked in

虽然 SSH 密钥可以是只读的或可读写的,或者是特定存储库的范围,但相比之下,个人访问令牌在更细粒度的权限模型方面确实具有优势。这可能就是为什么 GitHub 推荐令牌而不是 SSH 密钥。

Tokens offer a number of security benefits over password-based authentication:

  • Unique – tokens are specific to GitHub and can be generated per use or per device
  • Revocable – tokens can can be individually revoked at any time without needing to update unaffected credentials
  • Limited – tokens can be narrowly scoped to allow only the access necessary for the use case
  • Random – tokens are not subject to the types of dictionary or brute force attempts that simpler passwords that you need to remember or enter regularly might be