Difference between revisions of "Git Passwords in the Keychain"

From Exterior Memory
Jump to: navigation, search
(Created page with "Git often accesses remote repositories, and requires authentication to push (and something pull) the data. It can be annoying if git asks for your password each time you push ...")
 
m
 
(8 intermediate revisions by the same user not shown)
Line 1: Line 1:
Git often accesses remote repositories, and requires authentication to push (and something pull) the data. It can be annoying if git asks for your password each time you push or pull. I'm aware of five solutions that lets you use git push or git pull without a password prompt.
+
Git often accesses remote repositories, and requires authentication to push (and something pull) the data. It can be annoying if git asks for your password each time you push or pull. I'm aware of four solutions that lets you use git push or git pull without a password prompt.
  
 
* Using SSH keys
 
* Using SSH keys
* Storing passwords using git credentials in the Mac, Windows or Gnome keyring
+
* Using credential helpers (git 1.7.9 or higher)
* Storing passwords in the Mac OS X Keychain using git-password
+
* Using askpass interface (git 1.7.1 or higher)
* Store or cache passwords using git credentials
+
* Using curl's netrc
* Storing passwords in plain text using netrc
+
  
 
== Using SSH keys ==
 
== Using SSH keys ==
Line 11: Line 10:
 
If your repository can be accessed over SSH, the solution is simple. Add your SSH public key to your remote server.
 
If your repository can be accessed over SSH, the solution is simple. Add your SSH public key to your remote server.
  
SSH uses asymmetric key pairs for authentication. If you store your public key at the remote server, you can log in with your private key that is on your local machine. While it is sometimes common to protect the private key with a password, you don't have to.
+
SSH uses asymmetric key pairs for authentication. If you store your public key at the remote server, you can log in with your private key that is on your local machine.
  
 
Your SSH public key can be found on your local computer in <tt>~/.ssh/id_rsa.pub</tt>.
 
Your SSH public key can be found on your local computer in <tt>~/.ssh/id_rsa.pub</tt>.
 +
To allow remote logins, store this password on the remote server in <tt>~/.ssh/authorized_keys</tt>.
 +
For GitHub, upload it to https://github.com/settings/ssh.
  
To allow remote logins, store this password on the remote server in <tt>~/.ssh/authorized_keys</tt>. For GitHub, upload it to https://github.com/settings/ssh.
+
If your SSH private key is password protected, you will be prompted for a password after all. I have never tried it, but suspect that the <tt>SSH_ASKPASS</tt> environment variable can be used to automatically enter this password. If you tested this (with or without success), your contribution is most welcome.
  
== Git credential helpers for Mac, Windows or Gnome ==
+
== Two-Factor Authentication (2FA) ==
  
If your repository can be accessed over HTTPS, git will ask for your username and password each time you log in. Git itself is not able to store this password, but is able to invoke an external program.
+
A somewhat related warning:
  
Git 1.7.9 introduced the concept of credential helpers, small programs that store or cache passwords and usernames.
+
If you use 2-factor authentication please be aware that HTTPS-authentication does not work, and <tt>git pull</tt> and <tt>git push</tt> will fail with a <tt>Invalid username or password</tt> error. You need to use SSH authentication. If you enabled 2FA on GitHub, see [https://help.github.com/articles/changing-a-remote-s-url Changing a remote's URL] for information how to change to SSH.
 +
 
 +
== Using credential helpers ==
 +
 
 +
If your repository can be accessed over HTTPS, git will ask for your username and password each time you log in. Git itself is not able to store this password, but is able to invoke an external program. Git 1.7.9 introduced the concept of credential helpers, small programs that store or cache passwords and usernames.
 +
 
 +
More information about credential helpers is available at:
 +
 
 +
* [http://git-scm.com/docs/gitcredentials.html gitcredentials(7)] listing the configuration options;
 +
* [http://git-scm.com/docs/git-credential.html git-credential(1)] detailing the protocol between git and the helper program;
 +
* [https://github.com/git/git/blob/master/Documentation/technical/api-credentials.txt Credential API] describing the Git internal implementation.
 +
 
 +
=== Git credentials on disk or in memory ===
 +
 
 +
The two credential helpers always available are:
 +
* ''cache'' to store usernames and passwords in memory. By default it caches usernames and passwords for 15 minutes.
 +
* ''store'' to store usernames and passwords in plain text.
 +
 
 +
See the man pages of [http://git-scm.com/docs/git-credential-cache git-credential-cache] and [http://git-scm.com/docs/git-credential-store git-credential-store] respectively.
 +
 
 +
While store does not encrypt the password file in any way, the default permissions are set to be only user-readable.
 +
 
 +
=== Git credential helpers for Mac, Windows or Gnome ===
  
 
The git developers has created three very useful extensions:
 
The git developers has created three very useful extensions:
Line 33: Line 56:
 
  git help -a | grep credential-
 
  git help -a | grep credential-
  
In some cases, you may download a missing helper manually:
+
=== Third Party Credential Helpers ===
  
To download the osxkeychain credential helper, check the location of git, and install it:  
+
There are even more Credential Helpers:
 +
 
 +
* [https://github.com/shugo/git-credential-gnomekeyring git-credential-gnomekeyring] to access the Gnome Keyring (this seems different from [https://github.com/git/git/tree/master/contrib/credential/gnome-keyring git-credential-gnome-keyring])
 +
* [https://github.com/anurse/git-credential-winstore git-credential-winstore] to access the Windows Credential Store (this seems different from [https://github.com/git/git/tree/master/contrib/credential/wincred git-credential-wincred])
 +
 
 +
I am not (yet) aware of a KDE credential helper, though [http://blog.sleeplessbeastie.eu/2012/08/12/git-how-to-avoid-typing-your-password-repeatedly the ''ksshaskpass'' package can be invoked using the askpass option] (see the next section for details on askpass).
 +
 
 +
As an example, this is how you can download the osxkeychain credential helper and install it, if it is not part of your distribution for whatever reason:
 
  wget http://github-media-downloads.s3.amazonaws.com/osx/git-credential-osxkeychain
 
  wget http://github-media-downloads.s3.amazonaws.com/osx/git-credential-osxkeychain
% git --exec-path   
+
  sudo cp git-credential-osxkeychain /usr/local/bin/git-credential-osxkeychain
  /usr/lib/git-core
+
  sudo chmod a+x /usr/local/bin/git-credential-osxkeychain
  sudo cp git-credential-osxkeychain /usr/lib/git-core/git-credential-osxkeychain
+
 
  sudo chmod a+x /usr/lib/git-core/git-credential-osxkeychain
+
=== Configuring a Credential Helper ===
  
 
To enable the osxkeychain credential helper:
 
To enable the osxkeychain credential helper:
  
 
  git config --global credential.helper osxkeychain
 
  git config --global credential.helper osxkeychain
 
If your repository can be accessed over HTTPS, git will ask for your username and password each time you log in. Git itself is not able to store this password, but is able to invoke an external program.
 
 
The folks at GitHub wrote a small program that reads the password from the Mac OS X Keychain.
 
  
 
The first time the credential helper is invoked, it requests your username and password. This is subsequently stored in the Keychain. All subsequent attempts, the stored password is used.
 
The first time the credential helper is invoked, it requests your username and password. This is subsequently stored in the Keychain. All subsequent attempts, the stored password is used.
Line 54: Line 80:
 
If your password has changed, or you like git-password to forget about it, open Apple's Keychain application and remove the entry for the specified URL (e.g. <tt><nowiki>https://github.com/username/Project.git</nowiki></tt>)
 
If your password has changed, or you like git-password to forget about it, open Apple's Keychain application and remove the entry for the specified URL (e.g. <tt><nowiki>https://github.com/username/Project.git</nowiki></tt>)
  
== Storing Passwords in the Mac OS X Keychain with git-password ==
+
== Multiple Accounts at the Same Website ==
  
Even before the introduction of the credential helpers, git is able to invoke external program to retrieve a password, using the <tt>askpass</tt> setting.
+
By default, git credentials will use the same credentials for each repository in the same domain. So if you have multiple accounts at GitHub (or some other website), you're in a pickle. The easiest solution is to set the username in the repository (thus not globally). ('''Warning''': this has not been tested yet)
  
Samuel Kadolph wrote a small C program that reads the password from the Mac OS X Keychain, called [http://samuel.kadolph.com/2011/03/store-your-git-https-passwords-in-your-os-x-keychain/ git-password].
+
cd myrepository
 +
git config credential.https://example.com.username myusername
  
To install and configure it:  
+
To use different credentials by default for each domain, set
 +
git config --global credential.useHttpPath true
 +
 
 +
== Using askpass interface ==
 +
 
 +
Before the introduction of the credential helpers, git is able to invoke external program to retrieve a password, using the <tt>askpass</tt> setting. When this setting is set, git invokes the specified program to ask for the password. It's very similar to a git credential helper, although according to the git developers [https://github.com/git/git/commit/abca927dbef2c310056b8a1a8be5561212b3243a less convenient].
 +
 
 +
There are at least two askpass helpers:
 +
* [http://samuel.kadolph.com/2011/03/store-your-git-https-passwords-in-your-os-x-keychain/ git-password] by Samuel Kadolph which interfaces with the Mac OS X Keychain
 +
* [http://blog.sleeplessbeastie.eu/2012/08/12/git-how-to-avoid-typing-your-password-repeatedly ksshaskpass] to interface with the KDE Wallet.
 +
 
 +
=== git-password for Mac OS X ===
 +
 
 +
To install and configure git-password:  
 
  wget https://github.com/downloads/samuelkadolph/git-password/git-password
 
  wget https://github.com/downloads/samuelkadolph/git-password/git-password
 
  sudo cp git-password /usr/local/bin/git-password
 
  sudo cp git-password /usr/local/bin/git-password
Line 67: Line 107:
 
  git config --global core.askpass /usr/local/bin/git-password
 
  git config --global core.askpass /usr/local/bin/git-password
  
(The core.askpass option only works in git 1.7.3 and up. If you have an earlier version, set the GIT_ASKPASS global variable in your shell: <tt>export GIT_ASKPASS="/usr/local/bin/git-password"</tt>.)
+
(The core.askpass option only works in git 1.7.3 and up. If you have git 1.7.1 or 1.7.2, set the GIT_ASKPASS global variable in your shell: <tt>export GIT_ASKPASS="/usr/local/bin/git-password"</tt>.)
  
 
The first time git-password is invoked, it requests your username and password. This is subsequently stored in the Keychain. All subsequent attempts, the password is used.
 
The first time git-password is invoked, it requests your username and password. This is subsequently stored in the Keychain. All subsequent attempts, the password is used.
Line 73: Line 113:
 
If your password has changed, or you like git-password to forget about it, open Apple's Keychain application and remove the entry for the specified URL (e.g. <tt><nowiki>https://github.com/username/Project.git</nowiki></tt>)
 
If your password has changed, or you like git-password to forget about it, open Apple's Keychain application and remove the entry for the specified URL (e.g. <tt><nowiki>https://github.com/username/Project.git</nowiki></tt>)
  
== Store or Cache Passwords with git credentials (insecure) ==
+
== Using curl's netrc ==
  
Git 1.7.9 introduced the concept of credential helpers, small programs that store or cache passwords and usernames.
+
If all else fails, you can also store passwords ''in plain text'' in a <tt>.netrc</tt> file. This works because git uses the curl library, which accesses this file. Store this file in your home directory (<tt>~/.netrc</tt>)
 
+
The two credential helpers always available are:
+
* cache to store usernames and passwords in memory. By default it caches usernames and passwords for 15 minutes.
+
* store to store usernames and passwords in plain text.
+
 
+
See the man pages of [http://git-scm.com/docs/git-credential-cache git-credential-cache] and [http://git-scm.com/docs/git-credential-store git-credential-store] respectively.
+
 
+
While store does not encrypt the password file in any way, the default permissions are set to be only user-readable.
+
 
+
If you only want to store a username, consider the following setting in your git config file, as explained on the [http://git-scm.com/docs/gitcredentials.html gitcredentials man page]:
+
 
+
[credential "https://example.com"]
+
username = foo
+
 
+
== Storing Passwords in Plain Text (insecure) ==
+
 
+
If all else fails, you can also store passwords in a <tt>.netrc</tt> file. Store this file in your home directory (<tt>~/.netrc</tt>)
+
  
 
Here is an example .netrc file:
 
Here is an example .netrc file:
 
   machine github.com login myusername password mypasswd
 
   machine github.com login myusername password mypasswd
 
with "myusername" and "mypassword" replaced with your actual username and password.
 
with "myusername" and "mypassword" replaced with your actual username and password.
 +
 +
Since the passwords in the <tt>.netrc</tt> file are stored in plain text, makes sure that the file is not readable by other users.
 +
 +
[[Category:Version Control Software]]

Latest revision as of 13:51, 16 July 2017

Git often accesses remote repositories, and requires authentication to push (and something pull) the data. It can be annoying if git asks for your password each time you push or pull. I'm aware of four solutions that lets you use git push or git pull without a password prompt.

  • Using SSH keys
  • Using credential helpers (git 1.7.9 or higher)
  • Using askpass interface (git 1.7.1 or higher)
  • Using curl's netrc

Using SSH keys

If your repository can be accessed over SSH, the solution is simple. Add your SSH public key to your remote server.

SSH uses asymmetric key pairs for authentication. If you store your public key at the remote server, you can log in with your private key that is on your local machine.

Your SSH public key can be found on your local computer in ~/.ssh/id_rsa.pub. To allow remote logins, store this password on the remote server in ~/.ssh/authorized_keys. For GitHub, upload it to https://github.com/settings/ssh.

If your SSH private key is password protected, you will be prompted for a password after all. I have never tried it, but suspect that the SSH_ASKPASS environment variable can be used to automatically enter this password. If you tested this (with or without success), your contribution is most welcome.

Two-Factor Authentication (2FA)

A somewhat related warning:

If you use 2-factor authentication please be aware that HTTPS-authentication does not work, and git pull and git push will fail with a Invalid username or password error. You need to use SSH authentication. If you enabled 2FA on GitHub, see Changing a remote's URL for information how to change to SSH.

Using credential helpers

If your repository can be accessed over HTTPS, git will ask for your username and password each time you log in. Git itself is not able to store this password, but is able to invoke an external program. Git 1.7.9 introduced the concept of credential helpers, small programs that store or cache passwords and usernames.

More information about credential helpers is available at:

Git credentials on disk or in memory

The two credential helpers always available are:

  • cache to store usernames and passwords in memory. By default it caches usernames and passwords for 15 minutes.
  • store to store usernames and passwords in plain text.

See the man pages of git-credential-cache and git-credential-store respectively.

While store does not encrypt the password file in any way, the default permissions are set to be only user-readable.

Git credential helpers for Mac, Windows or Gnome

The git developers has created three very useful extensions:

  • git-credential-gnome-keyring to access usernames and passwords in the Gnome keyring.
  • git-credential-osxkeychain to access usernames and passwords in the Mac OS X' Keychain
  • git-credential-wincred to access usernames and passwords in the Windows' Credential Manager

These credential helpers are part of "contrib" (contributed code), and may not always be installed with all distributions of git.

To list which credential helpers are available, run:

git help -a | grep credential-

Third Party Credential Helpers

There are even more Credential Helpers:

I am not (yet) aware of a KDE credential helper, though the ksshaskpass package can be invoked using the askpass option (see the next section for details on askpass).

As an example, this is how you can download the osxkeychain credential helper and install it, if it is not part of your distribution for whatever reason:

wget http://github-media-downloads.s3.amazonaws.com/osx/git-credential-osxkeychain
sudo cp git-credential-osxkeychain /usr/local/bin/git-credential-osxkeychain
sudo chmod a+x /usr/local/bin/git-credential-osxkeychain

Configuring a Credential Helper

To enable the osxkeychain credential helper:

git config --global credential.helper osxkeychain

The first time the credential helper is invoked, it requests your username and password. This is subsequently stored in the Keychain. All subsequent attempts, the stored password is used.

If your password has changed, or you like git-password to forget about it, open Apple's Keychain application and remove the entry for the specified URL (e.g. https://github.com/username/Project.git)

Multiple Accounts at the Same Website

By default, git credentials will use the same credentials for each repository in the same domain. So if you have multiple accounts at GitHub (or some other website), you're in a pickle. The easiest solution is to set the username in the repository (thus not globally). (Warning: this has not been tested yet)

cd myrepository
git config credential.https://example.com.username myusername

To use different credentials by default for each domain, set

git config --global credential.useHttpPath true

Using askpass interface

Before the introduction of the credential helpers, git is able to invoke external program to retrieve a password, using the askpass setting. When this setting is set, git invokes the specified program to ask for the password. It's very similar to a git credential helper, although according to the git developers less convenient.

There are at least two askpass helpers:

  • git-password by Samuel Kadolph which interfaces with the Mac OS X Keychain
  • ksshaskpass to interface with the KDE Wallet.

git-password for Mac OS X

To install and configure git-password:

wget https://github.com/downloads/samuelkadolph/git-password/git-password
sudo cp git-password /usr/local/bin/git-password
sudo chmod a+x /usr/local/bin/git-password

git config --global core.askpass /usr/local/bin/git-password

(The core.askpass option only works in git 1.7.3 and up. If you have git 1.7.1 or 1.7.2, set the GIT_ASKPASS global variable in your shell: export GIT_ASKPASS="/usr/local/bin/git-password".)

The first time git-password is invoked, it requests your username and password. This is subsequently stored in the Keychain. All subsequent attempts, the password is used.

If your password has changed, or you like git-password to forget about it, open Apple's Keychain application and remove the entry for the specified URL (e.g. https://github.com/username/Project.git)

Using curl's netrc

If all else fails, you can also store passwords in plain text in a .netrc file. This works because git uses the curl library, which accesses this file. Store this file in your home directory (~/.netrc)

Here is an example .netrc file:

 machine github.com login myusername password mypasswd

with "myusername" and "mypassword" replaced with your actual username and password.

Since the passwords in the .netrc file are stored in plain text, makes sure that the file is not readable by other users.