Difference between revisions of "Git Passwords in the Keychain"

From Exterior Memory
Jump to: navigation, search
(Created page with "Git often accesses remote repositories, and requires authentication to push (and something pull) the data. It can be annoying if git asks for your password each time you push ...")
 
(Git credential helpers for Mac, Windows or Gnome)
Line 22: Line 22:
  
 
Git 1.7.9 introduced the concept of credential helpers, small programs that store or cache passwords and usernames.
 
Git 1.7.9 introduced the concept of credential helpers, small programs that store or cache passwords and usernames.
 +
 +
=== Contrib Credential Helpers ===
  
 
The git developers has created three very useful extensions:
 
The git developers has created three very useful extensions:
Line 32: Line 34:
 
To list which credential helpers are available, run:
 
To list which credential helpers are available, run:
 
  git help -a | grep credential-
 
  git help -a | grep credential-
 +
 +
=== Manual Adding of Credential Helpers ===
  
 
In some cases, you may download a missing helper manually:
 
In some cases, you may download a missing helper manually:
Line 41: Line 45:
 
  sudo cp git-credential-osxkeychain /usr/lib/git-core/git-credential-osxkeychain
 
  sudo cp git-credential-osxkeychain /usr/lib/git-core/git-credential-osxkeychain
 
  sudo chmod a+x /usr/lib/git-core/git-credential-osxkeychain
 
  sudo chmod a+x /usr/lib/git-core/git-credential-osxkeychain
 +
 +
=== Finding Third Party Credential Helpers ===
 +
 +
There are even more Credential Helpers:
 +
 +
* [https://github.com/shugo/git-credential-gnomekeyring git-credential-gnomekeyring] to access the Gnome Keyring (this seems different from [https://github.com/git/git/tree/master/contrib/credential/gnome-keyring git-credential-gnome-keyring])
 +
* [https://github.com/anurse/git-credential-winstore git-credential-winstore] to access the Windows Credential Store (this seems different from [https://github.com/git/git/tree/master/contrib/credential/wincred git-credential-wincred])
 +
 +
I am not *yet) aware of a KDE credential helper, though [http://blog.sleeplessbeastie.eu/2012/08/12/git-how-to-avoid-typing-your-password-repeatedly the ''ksshaskpass'' package can be invoked using the askpass option] (see the next section for details on askpass).
 +
 +
=== Configuring a Credential Helper ===
  
 
To enable the osxkeychain credential helper:
 
To enable the osxkeychain credential helper:

Revision as of 14:28, 16 November 2012

Git often accesses remote repositories, and requires authentication to push (and something pull) the data. It can be annoying if git asks for your password each time you push or pull. I'm aware of five solutions that lets you use git push or git pull without a password prompt.

  • Using SSH keys
  • Storing passwords using git credentials in the Mac, Windows or Gnome keyring
  • Storing passwords in the Mac OS X Keychain using git-password
  • Store or cache passwords using git credentials
  • Storing passwords in plain text using netrc

Using SSH keys

If your repository can be accessed over SSH, the solution is simple. Add your SSH public key to your remote server.

SSH uses asymmetric key pairs for authentication. If you store your public key at the remote server, you can log in with your private key that is on your local machine. While it is sometimes common to protect the private key with a password, you don't have to.

Your SSH public key can be found on your local computer in ~/.ssh/id_rsa.pub.

To allow remote logins, store this password on the remote server in ~/.ssh/authorized_keys. For GitHub, upload it to https://github.com/settings/ssh.

Git credential helpers for Mac, Windows or Gnome

If your repository can be accessed over HTTPS, git will ask for your username and password each time you log in. Git itself is not able to store this password, but is able to invoke an external program.

Git 1.7.9 introduced the concept of credential helpers, small programs that store or cache passwords and usernames.

Contrib Credential Helpers

The git developers has created three very useful extensions:

  • git-credential-gnome-keyring to access usernames and passwords in the Gnome keyring.
  • git-credential-osxkeychain to access usernames and passwords in the Mac OS X' Keychain
  • git-credential-wincred to access usernames and passwords in the Windows' Credential Manager

These credential helpers are part of "contrib" (contributed code), and may not always be installed with all distributions of git.

To list which credential helpers are available, run:

git help -a | grep credential-

Manual Adding of Credential Helpers

In some cases, you may download a missing helper manually:

To download the osxkeychain credential helper, check the location of git, and install it:

wget http://github-media-downloads.s3.amazonaws.com/osx/git-credential-osxkeychain
% git --exec-path     
  /usr/lib/git-core
sudo cp git-credential-osxkeychain /usr/lib/git-core/git-credential-osxkeychain
sudo chmod a+x /usr/lib/git-core/git-credential-osxkeychain

Finding Third Party Credential Helpers

There are even more Credential Helpers:

I am not *yet) aware of a KDE credential helper, though the ksshaskpass package can be invoked using the askpass option (see the next section for details on askpass).

Configuring a Credential Helper

To enable the osxkeychain credential helper:

git config --global credential.helper osxkeychain

If your repository can be accessed over HTTPS, git will ask for your username and password each time you log in. Git itself is not able to store this password, but is able to invoke an external program.

The folks at GitHub wrote a small program that reads the password from the Mac OS X Keychain.

The first time the credential helper is invoked, it requests your username and password. This is subsequently stored in the Keychain. All subsequent attempts, the stored password is used.

If your password has changed, or you like git-password to forget about it, open Apple's Keychain application and remove the entry for the specified URL (e.g. https://github.com/username/Project.git)

Storing Passwords in the Mac OS X Keychain with git-password

Even before the introduction of the credential helpers, git is able to invoke external program to retrieve a password, using the askpass setting.

Samuel Kadolph wrote a small C program that reads the password from the Mac OS X Keychain, called git-password.

To install and configure it:

wget https://github.com/downloads/samuelkadolph/git-password/git-password
sudo cp git-password /usr/local/bin/git-password
sudo chmod a+x /usr/local/bin/git-password

git config --global core.askpass /usr/local/bin/git-password

(The core.askpass option only works in git 1.7.3 and up. If you have an earlier version, set the GIT_ASKPASS global variable in your shell: export GIT_ASKPASS="/usr/local/bin/git-password".)

The first time git-password is invoked, it requests your username and password. This is subsequently stored in the Keychain. All subsequent attempts, the password is used.

If your password has changed, or you like git-password to forget about it, open Apple's Keychain application and remove the entry for the specified URL (e.g. https://github.com/username/Project.git)

Store or Cache Passwords with git credentials (insecure)

Git 1.7.9 introduced the concept of credential helpers, small programs that store or cache passwords and usernames.

The two credential helpers always available are:

  • cache to store usernames and passwords in memory. By default it caches usernames and passwords for 15 minutes.
  • store to store usernames and passwords in plain text.

See the man pages of git-credential-cache and git-credential-store respectively.

While store does not encrypt the password file in any way, the default permissions are set to be only user-readable.

If you only want to store a username, consider the following setting in your git config file, as explained on the gitcredentials man page:

[credential "https://example.com"]
	username = foo

Storing Passwords in Plain Text (insecure)

If all else fails, you can also store passwords in a .netrc file. Store this file in your home directory (~/.netrc)

Here is an example .netrc file:

 machine github.com login myusername password mypasswd

with "myusername" and "mypassword" replaced with your actual username and password.