How to give username/password to git clone in a script, but not store credentials in .git/config

git

I am cloning a git repository in a script like this:

git clone https://user:password@host.com/name/.git

This works, but my username and my password! are now stored in the origin url in .git/config.

How can I prevent this, but still do this in a script (so no manual password input)?

Best Answer

The method that I use is to actually use a git pull instead of a clone. The script would look like:

mkdir repo
cd repo
git init
git config user.email "email"
git config user.name "user"
git pull https://user:password@github.com/name/repo.git master

This will not store your username or password in .git/config. However, unless other steps are taken, the plaintext username and password will be visible while the process is running from commands that show current processes (e.g. ps).

As brought up in the comments, since this method is using HTTPS you must URL-encode any special characters that may appear in your password as well.

One further suggestion I would make (if you can't use ssh) is to actually use an OAuth token instead of plaintext username/password as it is slightly more secure. You can generate an OAuth token from your profile settings: https://github.com/settings/tokens.

Then using that token the pull command would be

git pull https://$OAUTH_TOKEN:x-oauth-basic@github.com/name/repo.git master

Related Solutions

Git clone/push/pull – where’s that username comes from

From Gitosis' point of view, your name is just the name, in keydir, of the public key that you authenticated with. No configuration on your local machine matters, except as it affects what public key you use, and the string at the end of the key doesn't matter -- just the filename.

You've given your public key two names, so when you authenticate with that key it is undefined which one of them it finds when it looks for a name for that key. When you changed some other things in Gitosis, presumably it happened to change the arbitrary choice of which name it found.

(Specifically, I believe Gitosis generates its own authorized_keys to contain all the keys in keydir, one per line, with options to tell sshd to only let the user run Gitosis, only in a controlled manner, and telling Gitosis the name of the key. If multiple lines have the same key, I'm not sure which one sshd ends up using -- maybe the first, maybe the last, maybe it's arbitrary. The order in which Gitosis writes them may also be arbitrary. But really the details of how the arbitrary choice happens are beside the point, because nobody guarantees they won't change in the next update to sshd or gitosis.)

You should pick which name you want to use to refer to yourself in the Gitosis config, and keep in keydir only the copy of your key under that name.

Manage http access to git repositories using gitosis

Gitosis uses gitweb for http publishing of repositories.

You need to have gitweb running.

Please ensure that gitweb is installed. Your gitweb.conf should look like:

# Location of the git binary
$GIT = "/usr/bin/git";

# Project root for gitweb
$projectroot = "/srv/git/repositories";

$stylesheet = "/gitweb.css";
$logo = "/git-logo.png";
$favicon = "/git-favicon.png";

# Site name
$site_name = "My site";

# URL formatting
#$my_uri = "http://git.somewhere.net/";
#$home_link = $my_uri;

# Base URL for project trees
@git_base_url_list = ("ssh://git\@somewhere.net");

# Length of the project description column in the webpage.
$projects_list_description_width = 50;

# Which repos are allowed to export
$export_ok = "git-daemon-export-ok";

# Enable PATH_INFO so the server can produce URLs of the
# form: http://git.hokietux.net/project.git/xxx/xxx
$feature{'pathinfo'}{'default'} = [1];

# Enable blame, pickaxe search, snapshop, search, and grep
$feature{'blame'}{'default'} = [1];
$feature{'blame'}{'override'} = [1];

$feature{'pickaxe'}{'default'} = [1];
$feature{'pickaxe'}{'override'} = [1];

$feature{'snapshot'}{'default'} = [1];
$feature{'snapshot'}{'override'} = [1];

$feature{'search'}{'default'} = [1];

$feature{'grep'}{'default'} = [1];
$feature{'grep'}{'override'} = [1];

Example gitweb config in apache:

Alias /gitweb/gitweb.css /usr/share/gitweb/gitweb.css
Alias /gitweb/git-logo.png /usr/share/gitweb/git-logo.png
Alias /gitweb/git-favicon.png /usr/share/gitweb/git-favicon.png
ScriptAlias /gitweb /usr/lib/cgi-bin/gitweb.cgi
<Directory /usr/share/gitweb>
  Options FollowSymLinks +ExecCGI
  AddHandler cgi-script .cgi
</Directory>
<Location /gitweb>
    Order allow,deny
    Allow from all
    #AuthType Basic
    #AuthName "GITOLITE"
    #AuthUserFile /etc/apache2/gitweb.htpasswd
    #Require valid-user
</Location>
# Securing with users example
<Location /gitweb/SomethingToHide.git>
        Require user myusername
</Location>

I've switched to gitolite because...

it is easier to use
it has more options (security, grouping etc.)

Best Answer

Related Solutions

Git clone/push/pull – where’s that username comes from

Manage http access to git repositories using gitosis

Related Topic