summaryrefslogtreecommitdiff
path: root/src/git:secure_automated_http_credentials.adoc
diff options
context:
space:
mode:
Diffstat (limited to 'src/git:secure_automated_http_credentials.adoc')
-rw-r--r--src/git:secure_automated_http_credentials.adoc112
1 files changed, 112 insertions, 0 deletions
diff --git a/src/git:secure_automated_http_credentials.adoc b/src/git:secure_automated_http_credentials.adoc
new file mode 100644
index 0000000..8397b9f
--- /dev/null
+++ b/src/git:secure_automated_http_credentials.adoc
@@ -0,0 +1,112 @@
+GIT:Secure Automated HTTP Credentials
+=====================================
+:author: Aaron Ball
+:email: nullspoon@oper.io
+:revdate: October 14, 2017
+
+== {doctitle}
+
+At my employer, we're using link:https://git-scm.com/[Git] for a lot of
+projects. Unfortunately, the team that set the server up thinks that ssh is far
+less secure than http[s], so they have disabled it. This leaves the users of
+their Git server with one remaining option for authentication: our usernames
+and passwords.
+
+I did a bit of research on this and had a hard time finding the information I
+was looking for. This is because Git offers its own
+link:https://git-scm.com/book/en/v2/Git-Tools-Credential-Storage[credentials
+storage] feature. I however use link:https://www.passwordstore.org/[pass] for
+all of my passwords, which has its own credential caching (gnupg). I would
+rather not maintain my passwords in my password database as well as another
+one-off password inside of a git config (or have to type it every time the git
+credential manager times out).
+
+So how do we use an external password manager for painlessly authenticating to
+a git server over http?
+
+
+* <<git-setup, Git Setup>>
+* <<writing-the-wrapper-script, Writing the Wrapper Script>>
+* <<additional-information, Additional Information>>
+
+
+[[git-variable]]
+Git Setup
+---------
+
+The first step is a lesser-documented git environmental variable. If you run
+`man git` and search for the string *GIT_ASKPASS*, you will see that this
+variable provides git with the path to a program to be run whenever Git needs a
+password for an operation.
+
+Unfortunately, the contents of this variable are interpreted such that it is
+not space delimited, thus making it interpret the entire string as the path to
+the program. This prevents us from passing our own program arguments within the
+quoted variable string. However, at runtime, Git will pass one argument: the
+repo username.
+
+If we can't specify our own arguments (such as `/usr/bin/pass <gituser> | head
+-n1`), we're left with writing a wrapper script to interpret what Git gives to
+the askpass program, that will return the appropriate password. Fortunately,
+this gives us far more flexibility than can be achieved by one line of shell
+code.
+
+
+[[writing-the-wrapper-script]]
+Writing the Wrapper Script
+--------------------------
+
+To give git what it needs, we need to write a wrapper script. I put mine in
+'~/bin/git-askpass' (don't forget to execute `chmod +x ~/bin/git-askpass` to
+make it executable). The process is simple. If you want to write your own
+instead of using mine, you need a few steps.
+
+. Take argument 1 as the username
+. Call your password program (cat \~/.password, call keepass somehow, call
+ pass, etc)
+. Send to STDOUT only the password
+
+Here is the script I use
+
+.\~/bin/git-askpass
+----
+#!/usr/bin/env bash
+
+# Set 'export PASSNAME=foo' in your .bashrc and the script will use it.
+PASSNAME=${PASSNAME:-default}
+
+main() {
+ # Not going to do anything with this probably
+ local _username=${1}
+
+ pass ${PASSNAME} | head -n1
+}
+
+main ${@}
+----
+
+If you want to use that script unmodified, you should export your own value for
+'PASSNAME' in your .bashrc. If you don't want to do that, you can change the
+_default_ value specified to the name of your pass entry.
+
+Finally, to tell Git to use that script, also place `export
+GIT_ASKPASS=~/bin/git-askpass` in your .bashrc. The next time you try to do a
+git operation, it will call the wrapper script, which will call pass to give
+Git the password it needs.
+
+
+[[additional-information]]
+Additional Information
+----------------------
+
+Updating your .bashrc file is just one way you can set this. Another way is to
+use the git global config. Just run the following command and it will yield the
+same result.
+
+----
+ git config --global --add core.askpass ~/bin/git-askpass
+----
+
+
+[role="datelastedit"]
+Last edited: {revdate}

Generated by cgit