Login/Register
How is git credential manager secure if it displays token
Asked Answered
Solved gitgithubgit-credential-manager
C

1

7

I have credential.helper=manager-core, which is the new helper for windows credential manager. I don't understand how is it secure if you can get git to display your credentials with git credential fill.

Steps to reproduce

  1. confirm the credential helper by executing command git config --system --list. If you are running Git for Windows 2.29 or later, then you should be able to see credential.helper=manager-core in the list. For earlier versions the credential.helper is set to manager and not manager-core. I'm running the latest Git For Windows 2.29.2 , so for me it return manager-core.
  2. Next, if your credentials have been stored by the helper, then below command should return the credentials on stdout :
git credential fill
protocol=https
host=github.com`
<HIT ENTER KEY TWICE, as A blank line signals input completion>
  1. The credentials should now display on your console. It is able to display password/token based on whatever you initially configured your git with. In my case I had authenticated with a GitHub personal access token and it displayed that pat.
Cutlerr answered 24/3, 2021 at 22:31 Comment(0)
Q
8

What you've noticed is that if you invoke git credential fill in the same way as Git does, then it will output the credentials that Git uses to authenticate you. This is useful because Git needs some way to get them out, and it's also possible for you to use a token by extracting it in this way to make API calls if you need to.

The reason this is secure is because if you've properly configured an appropriate credential manager, the data is stored in an encrypted format, and it's only unlocked either when you log in or when you otherwise unlock it. How that works on Windows depends on how you have Git Credential Manager Core configured, but the libsecret helper I use on Linux stores the data encrypted in my system keychain, which is unlocked when I log in, and is not available when I'm not logged in.

Note that in many cases, you can extract similar data using other APIs that the credential store uses, such as (on Linux) secret-tool or the like, so the fact that you can print it to the terminal using git credential fill is no different than your ability to use any other API to print it to the terminal or view it using the typical viewer you use on your system.

Quintessa answered 24/3, 2021 at 22:58 Comment(3)
Thanks for your response. The reason this is secure is because if you've properly configured an appropriate credential manager, the data is stored in an encrypted format : On this note I would like to point out that I see one more option i.e. credential.https://dev.azure.com.usehttppath=true. Is this the configuration that you are referring to in your statement.Cutlerr
Will external scripts or packages/modules(like npm's) be able to read this credential which the credential manager is storing. What if some malicious npm module tries to get my credentials say by just running the git credential fill. As per the official docs, git exposes this to scripts. And this again brings me back to my original concern of the credential storage mechanism being secure in the first place. May be I am missing onto something. But I would like learn.Cutlerr
The usehttppath option just requires specification of a path in the input. The behavior is otherwise the same. And yes, other malicious programs running on your account could read it, but they could do that with or without this functionality. A malicious program running as your user can already access all your information.Quintessa

© 2022 - 2024 — McMap. All rights reserved.