I am cloning a git repository in a script like this:
git clone https://user:password@host.com/name/.git
This works, but my username and my password! are now stored in the origin url in .git/config.
How can I prevent this, but still do this in a script (so no manual password input)?
The method that I use is to actually use a git pull instead of a clone. The script would look like:
mkdir repo
cd repo
git init
git config user.email "email"
git config user.name "user"
git pull https://user:password@github.com/name/repo.git master
This will not store your username or password in .git/config. However, unless other steps are taken, the plaintext username and password will be visible while the process is running from commands that show current processes (e.g. ps).
As brought up in the comments, since this method is using HTTPS you must URL-encode any special characters that may appear in your password as well.
One further suggestion I would make (if you can't use ssh) is to actually use an OAuth token instead of plaintext username/password as it is slightly more secure. You can generate an OAuth token from your profile settings: https://github.com/settings/tokens.
Then using that token the pull command would be
git pull https://$OAUTH_TOKEN:x-oauth-basic@github.com/name/repo.git master
IMO the best solution is using a custom GIT_ASKPASS helper and deliver the password as another environment variable. So for example, create a file git-askpass-helper.sh as:
#!/bin/sh
exec echo "$GIT_PASSWORD"
and then run git clone https://username@hostname/repo with environment variables GIT_ASKPASS=/path/to/git-askpass-helper.sh and GIT_PASSWORD=nuclearlaunchcodes.
This has the advantage that the password won't be visible in the process list too.
After going over dozens of SO posts, blogs, etc, I tried out every method, and this is what I came up with. It covers EVERYTHING.
These are all the ways and tools by which you can securely authenticate git to clone a repository without an interactive password prompt.
From what's asked here either SSH Keys, GIT_ASKPASS, or git credential store using the OS Keychain manager might be the best choice.
Since GIT_ASKPASS is probably the least understood of the 3, I'll detail that here - and the others are in the cheatsheet.
How to create an GIT_ASKPASS script:
echo 'echo $MY_GIT_TOKEN' > $HOME/.git-askpass
How to use it:
export MY_GIT_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
export GIT_ASKPASS=$HOME/.git-askpass
git clone https://token@code.example.com/project.git
The script receives stdin in the form of:
Password for 'scheme://host.tld':
The script receives Git ENVs such as:
GIT_DIR=/Users/me/project/.git
GIT_EXEC_PATH=/usr/local/Cellar/git/2.19.0_1/libexec/git-core
GIT_PREFIX=
More details in the cheatsheet.
You can enter your connection creds in your ~/.netrc file. Something along the lines of:
machine host.example.net
login bart
password eatmyshorts
Just make sure to chmod that file to 600. If you're using windows, the following link may be useful: https://stackoverflow.com/questions/6031214/git-how-to-use-netrc-file-on-windows-to-save-user-and-password
Personally, I have a tendency to use SSH keys for auth purposes (if you are allowed, of course).
Store your token or password somewhere safe, e.g. pass.
Then use a bash script to map git host to your password store, e.g.:
#!/usr/bin/env bash
# assuming "get" action from git and a config like this
# git config --global credential.helper $XDG_BIN_HOME'/git_credentials_from_pass $@'
while IFS= read -r line
do
echo "$line"
if [[ "$line" =~ host=.*github.com.* ]]; then
echo "username=your_user_name"
echo "password=$(pass show token_github.com/your_username)"
#else ...
fi
done
Change your_username and token_github.com the way you set it up.
