2011-12-10 11:31:38 +01:00
|
|
|
gitcredentials(7)
|
|
|
|
=================
|
|
|
|
|
|
|
|
NAME
|
|
|
|
----
|
2020-08-05 03:19:04 +02:00
|
|
|
gitcredentials - Providing usernames and passwords to Git
|
2011-12-10 11:31:38 +01:00
|
|
|
|
|
|
|
SYNOPSIS
|
|
|
|
--------
|
|
|
|
------------------
|
|
|
|
git config credential.https://example.com.username myusername
|
|
|
|
git config credential.helper "$helper $options"
|
|
|
|
------------------
|
|
|
|
|
|
|
|
DESCRIPTION
|
|
|
|
-----------
|
|
|
|
|
|
|
|
Git will sometimes need credentials from the user in order to perform
|
|
|
|
operations; for example, it may need to ask for a username and password
|
2022-11-08 14:01:27 +01:00
|
|
|
in order to access a remote repository over HTTP. Some remotes accept
|
|
|
|
a personal access token or OAuth access token as a password. This
|
|
|
|
manual describes the mechanisms Git uses to request these credentials,
|
|
|
|
as well as some features to avoid inputting these credentials repeatedly.
|
2011-12-10 11:31:38 +01:00
|
|
|
|
|
|
|
REQUESTING CREDENTIALS
|
|
|
|
----------------------
|
|
|
|
|
2013-01-21 20:17:53 +01:00
|
|
|
Without any credential helpers defined, Git will try the following
|
2011-12-10 11:31:38 +01:00
|
|
|
strategies to ask the user for usernames and passwords:
|
|
|
|
|
|
|
|
1. If the `GIT_ASKPASS` environment variable is set, the program
|
|
|
|
specified by the variable is invoked. A suitable prompt is provided
|
|
|
|
to the program on the command line, and the user's input is read
|
|
|
|
from its standard output.
|
|
|
|
|
2015-03-11 21:32:45 +01:00
|
|
|
2. Otherwise, if the `core.askPass` configuration variable is set, its
|
2011-12-10 11:31:38 +01:00
|
|
|
value is used as above.
|
|
|
|
|
|
|
|
3. Otherwise, if the `SSH_ASKPASS` environment variable is set, its
|
|
|
|
value is used as above.
|
|
|
|
|
|
|
|
4. Otherwise, the user is prompted on the terminal.
|
|
|
|
|
|
|
|
AVOIDING REPETITION
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
It can be cumbersome to input the same credentials over and over. Git
|
|
|
|
provides two methods to reduce this annoyance:
|
|
|
|
|
|
|
|
1. Static configuration of usernames for a given authentication context.
|
|
|
|
|
|
|
|
2. Credential helpers to cache or store passwords, or to interact with
|
|
|
|
a system password wallet or keychain.
|
|
|
|
|
|
|
|
The first is simple and appropriate if you do not have secure storage available
|
|
|
|
for a password. It is generally configured by adding this to your config:
|
|
|
|
|
|
|
|
---------------------------------------
|
|
|
|
[credential "https://example.com"]
|
|
|
|
username = me
|
|
|
|
---------------------------------------
|
|
|
|
|
2013-01-21 20:17:53 +01:00
|
|
|
Credential helpers, on the other hand, are external programs from which Git can
|
2011-12-10 11:31:38 +01:00
|
|
|
request both usernames and passwords; they typically interface with secure
|
2022-11-12 02:44:30 +01:00
|
|
|
storage provided by the OS or other programs. Alternatively, a
|
|
|
|
credential-generating helper might generate credentials for certain servers via
|
|
|
|
some API.
|
2011-12-10 11:31:38 +01:00
|
|
|
|
2011-12-10 11:34:14 +01:00
|
|
|
To use a helper, you must first select one to use. Git currently
|
|
|
|
includes the following helpers:
|
|
|
|
|
|
|
|
cache::
|
|
|
|
|
|
|
|
Cache credentials in memory for a short period of time. See
|
|
|
|
linkgit:git-credential-cache[1] for details.
|
|
|
|
|
2011-12-10 11:34:44 +01:00
|
|
|
store::
|
|
|
|
|
|
|
|
Store credentials indefinitely on disk. See
|
|
|
|
linkgit:git-credential-store[1] for details.
|
|
|
|
|
2011-12-10 11:34:14 +01:00
|
|
|
You may also have third-party helpers installed; search for
|
|
|
|
`credential-*` in the output of `git help -a`, and consult the
|
|
|
|
documentation of individual helpers. Once you have selected a helper,
|
2013-01-21 20:17:53 +01:00
|
|
|
you can tell Git to use it by putting its name into the
|
2011-12-10 11:31:38 +01:00
|
|
|
credential.helper variable.
|
|
|
|
|
|
|
|
1. Find a helper.
|
|
|
|
+
|
|
|
|
-------------------------------------------
|
|
|
|
$ git help -a | grep credential-
|
|
|
|
credential-foo
|
|
|
|
-------------------------------------------
|
|
|
|
|
|
|
|
2. Read its description.
|
|
|
|
+
|
|
|
|
-------------------------------------------
|
|
|
|
$ git help credential-foo
|
|
|
|
-------------------------------------------
|
|
|
|
|
2013-01-21 20:17:53 +01:00
|
|
|
3. Tell Git to use it.
|
2011-12-10 11:31:38 +01:00
|
|
|
+
|
|
|
|
-------------------------------------------
|
|
|
|
$ git config --global credential.helper foo
|
|
|
|
-------------------------------------------
|
|
|
|
|
|
|
|
|
|
|
|
CREDENTIAL CONTEXTS
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
Git considers each credential to have a context defined by a URL. This context
|
|
|
|
is used to look up context-specific configuration, and is passed to any
|
|
|
|
helpers, which may use it as an index into secure storage.
|
|
|
|
|
2013-01-21 20:17:53 +01:00
|
|
|
For instance, imagine we are accessing `https://example.com/foo.git`. When Git
|
2011-12-10 11:31:38 +01:00
|
|
|
looks into a config file to see if a section matches this context, it will
|
|
|
|
consider the two a match if the context is a more-specific subset of the
|
|
|
|
pattern in the config file. For example, if you have this in your config file:
|
|
|
|
|
|
|
|
--------------------------------------
|
|
|
|
[credential "https://example.com"]
|
|
|
|
username = foo
|
|
|
|
--------------------------------------
|
|
|
|
|
|
|
|
then we will match: both protocols are the same, both hosts are the same, and
|
|
|
|
the "pattern" URL does not care about the path component at all. However, this
|
|
|
|
context would not match:
|
|
|
|
|
|
|
|
--------------------------------------
|
|
|
|
[credential "https://kernel.org"]
|
|
|
|
username = foo
|
|
|
|
--------------------------------------
|
|
|
|
|
2013-01-21 20:17:53 +01:00
|
|
|
because the hostnames differ. Nor would it match `foo.example.com`; Git
|
2011-12-10 11:31:38 +01:00
|
|
|
compares hostnames exactly, without considering whether two hosts are part of
|
|
|
|
the same domain. Likewise, a config entry for `http://example.com` would not
|
credential: allow wildcard patterns when matching config
In some cases, a user will want to use a specific credential helper for
a wildcard pattern, such as https://*.corp.example.com. We have code
that handles this already with the urlmatch code, so let's use that
instead of our custom code.
Since the urlmatch code is a superset of our current matching in terms
of capabilities, there shouldn't be any cases of things that matched
previously that don't match now. However, in addition to wildcard
matching, we now use partial path matching, which can cause slightly
different behavior in the case that a helper applies to the prefix
(considering path components) of the remote URL. While different, this
is probably the behavior people were wanting anyway.
Since we're using the urlmatch code, we need to encode the components
we've gotten into a URL to match, so add a function to percent-encode
data and format the URL with it. We now also no longer need to the
custom code to match URLs, so let's remove it.
Additionally, the urlmatch code always looks for the best match, whereas
we want all matches for credential helpers to preserve existing
behavior. Let's add an optional field, select_fn, that lets us control
which items we want (in this case, all of them) and default it to the
best-match code that already exists for other users.
Signed-off-by: brian m. carlson <bk2204@github.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2020-02-20 03:24:13 +01:00
|
|
|
match: Git compares the protocols exactly. However, you may use wildcards in
|
2021-11-06 19:48:55 +01:00
|
|
|
the domain name and other pattern matching techniques as with the `http.<URL>.*`
|
credential: allow wildcard patterns when matching config
In some cases, a user will want to use a specific credential helper for
a wildcard pattern, such as https://*.corp.example.com. We have code
that handles this already with the urlmatch code, so let's use that
instead of our custom code.
Since the urlmatch code is a superset of our current matching in terms
of capabilities, there shouldn't be any cases of things that matched
previously that don't match now. However, in addition to wildcard
matching, we now use partial path matching, which can cause slightly
different behavior in the case that a helper applies to the prefix
(considering path components) of the remote URL. While different, this
is probably the behavior people were wanting anyway.
Since we're using the urlmatch code, we need to encode the components
we've gotten into a URL to match, so add a function to percent-encode
data and format the URL with it. We now also no longer need to the
custom code to match URLs, so let's remove it.
Additionally, the urlmatch code always looks for the best match, whereas
we want all matches for credential helpers to preserve existing
behavior. Let's add an optional field, select_fn, that lets us control
which items we want (in this case, all of them) and default it to the
best-match code that already exists for other users.
Signed-off-by: brian m. carlson <bk2204@github.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2020-02-20 03:24:13 +01:00
|
|
|
options.
|
2011-12-10 11:31:38 +01:00
|
|
|
|
2018-09-27 00:23:11 +02:00
|
|
|
If the "pattern" URL does include a path component, then this too must match
|
|
|
|
exactly: the context `https://example.com/bar/baz.git` will match a config
|
|
|
|
entry for `https://example.com/bar/baz.git` (in addition to matching the config
|
|
|
|
entry for `https://example.com`) but will not match a config entry for
|
|
|
|
`https://example.com/bar`.
|
|
|
|
|
2011-12-10 11:31:38 +01:00
|
|
|
|
|
|
|
CONFIGURATION OPTIONS
|
|
|
|
---------------------
|
|
|
|
|
|
|
|
Options for a credential context can be configured either in
|
docs: stop using asciidoc no-inline-literal
In asciidoc 7, backticks like `foo` produced a typographic
effect, but did not otherwise affect the syntax. In asciidoc
8, backticks introduce an "inline literal" inside which markup
is not interpreted. To keep compatibility with existing
documents, asciidoc 8 has a "no-inline-literal" attribute to
keep the old behavior. We enabled this so that the
documentation could be built on either version.
It has been several years now, and asciidoc 7 is no longer
in wide use. We can now decide whether or not we want
inline literals on their own merits, which are:
1. The source is much easier to read when the literal
contains punctuation. You can use `master~1` instead
of `master{tilde}1`.
2. They are less error-prone. Because of point (1), we
tend to make mistakes and forget the extra layer of
quoting.
This patch removes the no-inline-literal attribute from the
Makefile and converts every use of backticks in the
documentation to an inline literal (they must be cleaned up,
or the example above would literally show "{tilde}" in the
output).
Problematic sites were found by grepping for '`.*[{\\]' and
examined and fixed manually. The results were then verified
by comparing the output of "html2text" on the set of
generated html pages. Doing so revealed that in addition to
making the source more readable, this patch fixes several
formatting bugs:
- HTML rendering used the ellipsis character instead of
literal "..." in code examples (like "git log A...B")
- some code examples used the right-arrow character
instead of '->' because they failed to quote
- api-config.txt did not quote tilde, and the resulting
HTML contained a bogus snippet like:
<tt><sub></tt> foo <tt></sub>bar</tt>
which caused some parsers to choke and omit whole
sections of the page.
- git-commit.txt confused ``foo`` (backticks inside a
literal) with ``foo'' (matched double-quotes)
- mentions of `A U Thor <author@example.com>` used to
erroneously auto-generate a mailto footnote for
author@example.com
- the description of --word-diff=plain incorrectly showed
the output as "[-removed-] and {added}", not "{+added+}".
- using "prime" notation like:
commit `C` and its replacement `C'`
confused asciidoc into thinking that everything between
the first backtick and the final apostrophe were meant
to be inside matched quotes
- asciidoc got confused by the escaping of some of our
asterisks. In particular,
`credential.\*` and `credential.<url>.\*`
properly escaped the asterisk in the first case, but
literally passed through the backslash in the second
case.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2012-04-26 10:51:57 +02:00
|
|
|
`credential.*` (which applies to all credentials), or
|
2021-11-06 19:48:55 +01:00
|
|
|
`credential.<URL>.*`, where <URL> matches the context as described
|
2011-12-10 11:31:38 +01:00
|
|
|
above.
|
|
|
|
|
|
|
|
The following options are available in either location:
|
|
|
|
|
|
|
|
helper::
|
|
|
|
|
|
|
|
The name of an external credential helper, and any associated options.
|
|
|
|
If the helper name is not an absolute path, then the string `git
|
|
|
|
credential-` is prepended. The resulting string is executed by the
|
|
|
|
shell (so, for example, setting this to `foo --option=bar` will execute
|
|
|
|
`git credential-foo --option=bar` via the shell. See the manual of
|
|
|
|
specific helpers for examples of their use.
|
2017-05-02 02:21:14 +02:00
|
|
|
+
|
|
|
|
If there are multiple instances of the `credential.helper` configuration
|
|
|
|
variable, each helper will be tried in turn, and may provide a username,
|
|
|
|
password, or nothing. Once Git has acquired both a username and a
|
credential: new attribute password_expiry_utc
Some passwords have an expiry date known at generation. This may be
years away for a personal access token or hours for an OAuth access
token.
When multiple credential helpers are configured, `credential fill` tries
each helper in turn until it has a username and password, returning
early. If Git authentication succeeds, `credential approve`
stores the successful credential in all helpers. If authentication
fails, `credential reject` erases matching credentials in all helpers.
Helpers implement corresponding operations: get, store, erase.
The credential protocol has no expiry attribute, so helpers cannot
store expiry information. Even if a helper returned an improvised
expiry attribute, git credential discards unrecognised attributes
between operations and between helpers.
This is a particular issue when a storage helper and a
credential-generating helper are configured together:
[credential]
helper = storage # eg. cache or osxkeychain
helper = generate # eg. oauth
`credential approve` stores the generated credential in both helpers
without expiry information. Later `credential fill` may return an
expired credential from storage. There is no workaround, no matter how
clever the second helper. The user sees authentication fail (a retry
will succeed).
Introduce a password expiry attribute. In `credential fill`, ignore
expired passwords and continue to query subsequent helpers.
In the example above, `credential fill` ignores the expired password
and a fresh credential is generated. If authentication succeeds,
`credential approve` replaces the expired password in storage.
If authentication fails, the expired credential is erased by
`credential reject`. It is unnecessary but harmless for storage
helpers to self prune expired credentials.
Add support for the new attribute to credential-cache.
Eventually, I hope to see support in other popular storage helpers.
Example usage in a credential-generating helper
https://github.com/hickford/git-credential-oauth/pull/16
Signed-off-by: M Hickford <mirth.hickford@gmail.com>
Reviewed-by: Calvin Wan <calvinwan@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2023-02-18 07:32:57 +01:00
|
|
|
non-expired password, no more helpers will be tried.
|
2017-05-02 02:21:14 +02:00
|
|
|
+
|
|
|
|
If `credential.helper` is configured to the empty string, this resets
|
|
|
|
the helper list to empty (so you may override a helper set by a
|
|
|
|
lower-priority config file by configuring the empty-string helper,
|
|
|
|
followed by whatever set of helpers you would like).
|
2011-12-10 11:31:38 +01:00
|
|
|
|
|
|
|
username::
|
|
|
|
|
|
|
|
A default username, if one is not provided in the URL.
|
|
|
|
|
|
|
|
useHttpPath::
|
|
|
|
|
2013-01-21 20:17:53 +01:00
|
|
|
By default, Git does not consider the "path" component of an http URL
|
2011-12-10 11:31:38 +01:00
|
|
|
to be worth matching via external helpers. This means that a credential
|
|
|
|
stored for `https://example.com/foo.git` will also be used for
|
|
|
|
`https://example.com/bar.git`. If you do want to distinguish these
|
|
|
|
cases, set this option to `true`.
|
|
|
|
|
|
|
|
|
|
|
|
CUSTOM HELPERS
|
|
|
|
--------------
|
|
|
|
|
|
|
|
You can write your own custom helpers to interface with any system in
|
2020-02-14 19:54:59 +01:00
|
|
|
which you keep credentials.
|
|
|
|
|
|
|
|
Credential helpers are programs executed by Git to fetch or save
|
|
|
|
credentials from and to long-term storage (where "long-term" is simply
|
|
|
|
longer than a single Git process; e.g., credentials may be stored
|
|
|
|
in-memory for a few minutes, or indefinitely on disk).
|
|
|
|
|
|
|
|
Each helper is specified by a single string in the configuration
|
|
|
|
variable `credential.helper` (and others, see linkgit:git-config[1]).
|
|
|
|
The string is transformed by Git into a command to be executed using
|
|
|
|
these rules:
|
|
|
|
|
|
|
|
1. If the helper string begins with "!", it is considered a shell
|
|
|
|
snippet, and everything after the "!" becomes the command.
|
|
|
|
|
|
|
|
2. Otherwise, if the helper string begins with an absolute path, the
|
|
|
|
verbatim helper string becomes the command.
|
|
|
|
|
|
|
|
3. Otherwise, the string "git credential-" is prepended to the helper
|
|
|
|
string, and the result becomes the command.
|
|
|
|
|
|
|
|
The resulting command then has an "operation" argument appended to it
|
|
|
|
(see below for details), and the result is executed by the shell.
|
|
|
|
|
|
|
|
Here are some example specifications:
|
|
|
|
|
|
|
|
----------------------------------------------------
|
|
|
|
# run "git credential-foo"
|
2020-05-01 09:33:05 +02:00
|
|
|
[credential]
|
|
|
|
helper = foo
|
2020-02-14 19:54:59 +01:00
|
|
|
|
|
|
|
# same as above, but pass an argument to the helper
|
2020-05-01 09:33:05 +02:00
|
|
|
[credential]
|
|
|
|
helper = "foo --bar=baz"
|
2020-02-14 19:54:59 +01:00
|
|
|
|
|
|
|
# the arguments are parsed by the shell, so use shell
|
|
|
|
# quoting if necessary
|
2020-05-01 09:33:05 +02:00
|
|
|
[credential]
|
|
|
|
helper = "foo --bar='whitespace arg'"
|
2020-02-14 19:54:59 +01:00
|
|
|
|
|
|
|
# you can also use an absolute path, which will not use the git wrapper
|
2020-05-01 09:33:05 +02:00
|
|
|
[credential]
|
|
|
|
helper = "/path/to/my/helper --with-arguments"
|
2020-02-14 19:54:59 +01:00
|
|
|
|
|
|
|
# or you can specify your own shell snippet
|
2020-05-01 09:33:11 +02:00
|
|
|
[credential "https://example.com"]
|
|
|
|
username = your_user
|
|
|
|
helper = "!f() { test \"$1\" = get && echo \"password=$(cat $HOME/.secret)\"; }; f"
|
2020-02-14 19:54:59 +01:00
|
|
|
----------------------------------------------------
|
|
|
|
|
|
|
|
Generally speaking, rule (3) above is the simplest for users to specify.
|
|
|
|
Authors of credential helpers should make an effort to assist their
|
|
|
|
users by naming their program "git-credential-$NAME", and putting it in
|
|
|
|
the `$PATH` or `$GIT_EXEC_PATH` during installation, which will allow a
|
|
|
|
user to enable it with `git config credential.helper $NAME`.
|
|
|
|
|
|
|
|
When a helper is executed, it will have one "operation" argument
|
|
|
|
appended to its command line, which is one of:
|
|
|
|
|
|
|
|
`get`::
|
|
|
|
|
|
|
|
Return a matching credential, if any exists.
|
|
|
|
|
|
|
|
`store`::
|
|
|
|
|
|
|
|
Store the credential, if applicable to the helper.
|
|
|
|
|
|
|
|
`erase`::
|
|
|
|
|
|
|
|
Remove a matching credential, if any, from the helper's storage.
|
|
|
|
|
|
|
|
The details of the credential will be provided on the helper's stdin
|
|
|
|
stream. The exact format is the same as the input/output format of the
|
|
|
|
`git credential` plumbing command (see the section `INPUT/OUTPUT
|
|
|
|
FORMAT` in linkgit:git-credential[1] for a detailed specification).
|
|
|
|
|
|
|
|
For a `get` operation, the helper should produce a list of attributes on
|
|
|
|
stdout in the same format (see linkgit:git-credential[1] for common
|
|
|
|
attributes). A helper is free to produce a subset, or even no values at
|
|
|
|
all if it has nothing useful to provide. Any provided attributes will
|
2020-05-06 23:47:25 +02:00
|
|
|
overwrite those already known about by Git's credential subsystem.
|
2022-10-24 09:57:48 +02:00
|
|
|
Unrecognised attributes are silently discarded.
|
2020-05-06 23:47:25 +02:00
|
|
|
|
|
|
|
While it is possible to override all attributes, well behaving helpers
|
|
|
|
should refrain from doing so for any attribute other than username and
|
|
|
|
password.
|
|
|
|
|
|
|
|
If a helper outputs a `quit` attribute with a value of `true` or `1`,
|
|
|
|
no further helpers will be consulted, nor will the user be prompted
|
|
|
|
(if no credential has been provided, the operation will then fail).
|
|
|
|
|
|
|
|
Similarly, no more helpers will be consulted once both username and
|
|
|
|
password had been provided.
|
2020-02-14 19:54:59 +01:00
|
|
|
|
|
|
|
For a `store` or `erase` operation, the helper's output is ignored.
|
2020-05-06 23:47:25 +02:00
|
|
|
|
|
|
|
If a helper fails to perform the requested operation or needs to notify
|
|
|
|
the user of a potential issue, it may write to stderr.
|
|
|
|
|
2022-11-12 02:44:30 +01:00
|
|
|
If it does not support the requested operation (e.g., a read-only store
|
|
|
|
or generator), it should silently ignore the request.
|
2020-02-14 19:54:59 +01:00
|
|
|
|
|
|
|
If a helper receives any other operation, it should silently ignore the
|
|
|
|
request. This leaves room for future operations to be added (older
|
|
|
|
helpers will just ignore the new requests).
|
2011-12-10 11:31:38 +01:00
|
|
|
|
|
|
|
GIT
|
|
|
|
---
|
|
|
|
Part of the linkgit:git[1] suite
|