Login/Register
How setup credentials in Git Credential Manager on Linux?
Asked Answered
gitgit-credential-manager
H

2

5

I'm new to using Gitlab. My workplace has recently moved from on-prem Git to a cloud-based Gitlab host. I used ssh authentication in the past with our on-prem so never had to deal with credentials hanging around (I'm using Linux) in .git/config or ~/.gitconfig.

If I let git manage my credentials/tokens, with whatever defaults it uses, those creds/tokens end up stored in plaintext in my home directory under ~/.git-credentials or in the .git/config file, which is problematic for various reasons.

I poked around and found Git Credential Manager Core but after getting it installed, as shown in the README, I'm not exactly sure it's working correctly, or I'm misunderstanding how to use it. I ran these commands to get it setup:

  • dpkg -i gcm-linux_amd64.2.0.785.deb
  • git-credential-manager-core configure
  • git config --global credential.credentialStore gpg
  • pass init <gpg-id>

I tried cloning a cloud-based repo using a personal access token, but when I clone it, gpg prompts me for my passphrase, but the token ends up in the .git/config file anyway.

$ git clone https://user-test-token:[email protected]/my.username/my-repo.git
$ cat .git/config
...
[remote "origin"]
        url = https://user-test-token:[email protected]/my.username/my-repo.git
...

What am I doing wrong?

Homophonic answered 17/10, 2022 at 20:8 Comment(7)
Does this answer your question? How can I save username and password in Git?Pawnshop
Why not continue to use SSH based authentication?Onia
@JakobGuldbergAaes not really. Anything using credential.helper is going to store things in the clear (as far as I can tell). Also, some of those posts mention just put your credentials in the URL which also gets saved in .git/config in cleartext also.Homophonic
@Onia our business unit was merged with another entity and this is how it works now.Homophonic
@Homophonic "Anything using credential.helper is going to store things in the clear": That has not been my experience on Windows, where it is stored in the Windows Valut (the windows Credential Manager). And Linux should have an equivalent (possibly passwordstore.org). You could even use setup netrc as a possible way to encrypt your credentials: I have done so back in the days, -- pre-GCM.Lumbye
I think what @Onia mean is to add a ssh-key to https://<gitlab-host>/-/profile/keysPawnshop
@JakobGuldbergAaes True, however the question is for HTTPS credentials management.Lumbye
J
4

In your git clone command, you inserted a personal access token into the remote URL. This is insecure and prevents Git from calling any configured credential helpers. Instead, you should clone with the unadorned remote URL.

Next, Git Credential Manager only supports gitlab.com out the box (see GitLab issue #374172). To use with another GitLab instance such as gitlab.example.com, follow the instructions at https://github.com/git-ecosystem/git-credential-manager/blob/main/docs/gitlab.md .

For what it's worth, you might find it easier to use git-credential-oauth, included in many Linux distributions including Fedora, Debian and Ubuntu.

Jodhpur answered 27/5, 2023 at 5:14 Comment(0)
L
2

Check if this is a TTY issue

If you are using the gpg credential store in a headless/TTY-only environment, you must ensure you have configured the GPG Agent (gpg-agent) with a suitable pin-entry program for the terminal such as pinentry-tty or pinentry-curses.

If you are not connecting via SSH, or otherwise do not have the SSH_TTY environment variable set, you must set the GPG_TTY environment variable before running GCM.
The easiest way to do this is by adding the following to your profile (~/.bashrc, ~/.profile etc):

export GPG_TTY=$(tty)
Lumbye answered 18/10, 2022 at 7:14 Comment(2)
Thanks, that's a good catch but I'm not running headless. I do get the pinentry-curses prompt and SSH_TTY is currently set to /dev/pts/2. I'm reading up on the pass utility. I think there's more that I need to do there and it just isn't documented in the GCM info.Homophonic
@Homophonic I agree, passwordstore.org would be your best bet if you are not in an headless environment.Lumbye

© 2022 - 2024 — McMap. All rights reserved.