My VM OS was recently updated and most of my data was migrated. Git, etc. was reinstalled. I am still able to clone/push/pull to my private GitHub repositories. However, I did not reenter my credentials.
This confused me. In the past, I used private access tokens as I have 2FA enabled. To try and understand this, I deleted all of my private access tokens. I was still able to clone/pull/push. Then I changed my password. I was still able to clone/pull/push.
I am unsure as to why I am able to do this. I tried pulling the private repository on another machine, and I was prompted to enter my credentials. Hence there must be something on the VM that contains some of my credentials, but I am not sure where or how they are stored. Also given that I deleted my access tokens and changed my password, surely I should not be able to do this any more.
I had a look all over my VM within ~/.gitconfig and .git-credentials. I renamed these files, but I was still able to clone. My only thought is that one of the old repositories contains my credentials locally and somehow Git knows to pick them up. Still, why do these credentials work after I removed all my access tokens and changed my password?
The answer to my problem was: I authorized GitHub for the Visual Studio Code OAuth App. I was using Visual Studio Code to connect to the VM, hence my credentials were stored in this way.
It's somewhat strange that the OAuth apps remain authorized in case of a password change, but I guess GitHub don't see it as a strong attack vector.