Rectangle 27 72

TLDR; Use an encrypted netrc file with Git 1.8.3+.

Saving a password for a Git repository HTTPS URL is possible with a ~/.netrc (Unix) or %HOME%/_netrc (note the _) on Windows.

But: That file would store your password in plain text.

Solution: Encrypt that file with GPG (GNU Privacy Guard), and make Git decrypt it each time it needs a password (for push/pull/fetch/clone operation).

(Git has a gpg.exe in its distribution, but using a full GPG installation includes a gpg-agent.exe, which will memorize your passphrase associated to your GPG key.)

Install gpg4Win Lite, the minimum gnupg command-line interface (take the most recent gpg4win-vanilla-2.X.Y-betaZZ.exe), and complete your PATH with the GPG installation directory:

set PATH=%PATH%:C:\path\to\gpg
copy C:\path\to\gpg\gpg2.exe C:\path\to\gpg\gpg.exe

(Note the 'copy' command: Git will need a Bash script to execute the command 'gpg'. Since gpg4win-vanilla-2 comes with gpg2.exe, you need to duplicate it.)

Create or import a GPG key, and trust it:

gpgp --import aKey
# or
gpg --gen-key
  • Install the credential helper script in a directory within your %PATH%: cd c:\a\fodler\in\your\path curl -o c:\prgs\bin\git-credential-netrc https://raw.githubusercontent.com/git/git/master/contrib/credential/netrc/git-credential-netrc

(Yes, this is a Bash script, but it will work on Windows since it will be called by Git.)

  • Make a _netrc file in clear text machine a_server.corp.com login a_login password a_password protocol https machine a_server2.corp.com login a_login2 password a_password2 protocol https

(Don't forget the 'protocol' part: 'http' or 'https' depending on the URL you will use.)

  • Encrypt that file: gpg -e -r a_recipient _netrc

(You now can delete the _netrc file, keeping only the _netrc.gpg encrypted one.)

  • Use that encrypted file: git config --local credential.helper "netrc -f C:/path/to/_netrc.gpg -v"
C:\path\to...
-v -d

From now on, any Git command using an HTTP(S) URL which requires authentication will decrypt that _netrc.gpg file and use the login/password associated to the server you are contacting. The first time, GPG will ask you for the passphrase of your GPG key, to decrypt the file. The other times, the gpg-agent launched automatically by the first GPG call will provide that passphrase for you.

That way, you can memorize several URLs/logins/passwords in one file, and have it stored on your disk encrypted. I find it more convenient than a "cache" helper", where you need to remember and type (once per session) a different password for each of your remote services, for said password to be cached in memory.

trying the same thing on linux .. git config --local credential.helper "netrc -f /home/me/.netrc.gpg -v -d" ..and i get "git : 'credential-netrc' is not a git command. see 'git --help'"

curl -o c:\prgs\bin\git-credential-netrc https://raw.github.com/git/git/master/contrib/credential/netrc/git-credential-netrc
git-credential-netrc
$PATH
credential-netrc

Well, the _netrc didn't work for me on a Windows 7 PC, but the .netrc worked for youtube-dl with the --netrc argument passed to it.

git - Is there a way to skip password typing when using https:// on Gi...

git authentication github
Rectangle 27 72

TLDR; Use an encrypted netrc file with Git 1.8.3+.

Saving a password for a Git repository HTTPS URL is possible with a ~/.netrc (Unix) or %HOME%/_netrc (note the _) on Windows.

But: That file would store your password in plain text.

Solution: Encrypt that file with GPG (GNU Privacy Guard), and make Git decrypt it each time it needs a password (for push/pull/fetch/clone operation).

(Git has a gpg.exe in its distribution, but using a full GPG installation includes a gpg-agent.exe, which will memorize your passphrase associated to your GPG key.)

Install gpg4Win Lite, the minimum gnupg command-line interface (take the most recent gpg4win-vanilla-2.X.Y-betaZZ.exe), and complete your PATH with the GPG installation directory:

set PATH=%PATH%:C:\path\to\gpg
copy C:\path\to\gpg\gpg2.exe C:\path\to\gpg\gpg.exe

(Note the 'copy' command: Git will need a Bash script to execute the command 'gpg'. Since gpg4win-vanilla-2 comes with gpg2.exe, you need to duplicate it.)

Create or import a GPG key, and trust it:

gpgp --import aKey
# or
gpg --gen-key
  • Install the credential helper script in a directory within your %PATH%: cd c:\a\fodler\in\your\path curl -o c:\prgs\bin\git-credential-netrc https://raw.githubusercontent.com/git/git/master/contrib/credential/netrc/git-credential-netrc

(Yes, this is a Bash script, but it will work on Windows since it will be called by Git.)

  • Make a _netrc file in clear text machine a_server.corp.com login a_login password a_password protocol https machine a_server2.corp.com login a_login2 password a_password2 protocol https

(Don't forget the 'protocol' part: 'http' or 'https' depending on the URL you will use.)

  • Encrypt that file: gpg -e -r a_recipient _netrc

(You now can delete the _netrc file, keeping only the _netrc.gpg encrypted one.)

  • Use that encrypted file: git config --local credential.helper "netrc -f C:/path/to/_netrc.gpg -v"
C:\path\to...
-v -d

From now on, any Git command using an HTTP(S) URL which requires authentication will decrypt that _netrc.gpg file and use the login/password associated to the server you are contacting. The first time, GPG will ask you for the passphrase of your GPG key, to decrypt the file. The other times, the gpg-agent launched automatically by the first GPG call will provide that passphrase for you.

That way, you can memorize several URLs/logins/passwords in one file, and have it stored on your disk encrypted. I find it more convenient than a "cache" helper", where you need to remember and type (once per session) a different password for each of your remote services, for said password to be cached in memory.

trying the same thing on linux .. git config --local credential.helper "netrc -f /home/me/.netrc.gpg -v -d" ..and i get "git : 'credential-netrc' is not a git command. see 'git --help'"

curl -o c:\prgs\bin\git-credential-netrc https://raw.github.com/git/git/master/contrib/credential/netrc/git-credential-netrc
git-credential-netrc
$PATH
credential-netrc

Well, the _netrc didn't work for me on a Windows 7 PC, but the .netrc worked for youtube-dl with the --netrc argument passed to it.

git - Is there a way to skip password typing when using https:// on Gi...

git authentication github
Rectangle 27 72

TLDR; Use an encrypted netrc file with Git 1.8.3+.

Saving a password for a Git repository HTTPS URL is possible with a ~/.netrc (Unix) or %HOME%/_netrc (note the _) on Windows.

But: That file would store your password in plain text.

Solution: Encrypt that file with GPG (GNU Privacy Guard), and make Git decrypt it each time it needs a password (for push/pull/fetch/clone operation).

(Git has a gpg.exe in its distribution, but using a full GPG installation includes a gpg-agent.exe, which will memorize your passphrase associated to your GPG key.)

Install gpg4Win Lite, the minimum gnupg command-line interface (take the most recent gpg4win-vanilla-2.X.Y-betaZZ.exe), and complete your PATH with the GPG installation directory:

set PATH=%PATH%:C:\path\to\gpg
copy C:\path\to\gpg\gpg2.exe C:\path\to\gpg\gpg.exe

(Note the 'copy' command: Git will need a Bash script to execute the command 'gpg'. Since gpg4win-vanilla-2 comes with gpg2.exe, you need to duplicate it.)

Create or import a GPG key, and trust it:

gpgp --import aKey
# or
gpg --gen-key
  • Install the credential helper script in a directory within your %PATH%: cd c:\a\fodler\in\your\path curl -o c:\prgs\bin\git-credential-netrc https://raw.githubusercontent.com/git/git/master/contrib/credential/netrc/git-credential-netrc

(Yes, this is a Bash script, but it will work on Windows since it will be called by Git.)

  • Make a _netrc file in clear text machine a_server.corp.com login a_login password a_password protocol https machine a_server2.corp.com login a_login2 password a_password2 protocol https

(Don't forget the 'protocol' part: 'http' or 'https' depending on the URL you will use.)

  • Encrypt that file: gpg -e -r a_recipient _netrc

(You now can delete the _netrc file, keeping only the _netrc.gpg encrypted one.)

  • Use that encrypted file: git config --local credential.helper "netrc -f C:/path/to/_netrc.gpg -v"
C:\path\to...
-v -d

From now on, any Git command using an HTTP(S) URL which requires authentication will decrypt that _netrc.gpg file and use the login/password associated to the server you are contacting. The first time, GPG will ask you for the passphrase of your GPG key, to decrypt the file. The other times, the gpg-agent launched automatically by the first GPG call will provide that passphrase for you.

That way, you can memorize several URLs/logins/passwords in one file, and have it stored on your disk encrypted. I find it more convenient than a "cache" helper", where you need to remember and type (once per session) a different password for each of your remote services, for said password to be cached in memory.

trying the same thing on linux .. git config --local credential.helper "netrc -f /home/me/.netrc.gpg -v -d" ..and i get "git : 'credential-netrc' is not a git command. see 'git --help'"

curl -o c:\prgs\bin\git-credential-netrc https://raw.github.com/git/git/master/contrib/credential/netrc/git-credential-netrc
git-credential-netrc
$PATH
credential-netrc

Well, the _netrc didn't work for me on a Windows 7 PC, but the .netrc worked for youtube-dl with the --netrc argument passed to it.

git - Is there a way to skip password typing when using https:// on Gi...

git authentication github
Rectangle 27 72

TLDR; Use an encrypted netrc file with Git 1.8.3+.

Saving a password for a Git repository HTTPS URL is possible with a ~/.netrc (Unix) or %HOME%/_netrc (note the _) on Windows.

But: That file would store your password in plain text.

Solution: Encrypt that file with GPG (GNU Privacy Guard), and make Git decrypt it each time it needs a password (for push/pull/fetch/clone operation).

(Git has a gpg.exe in its distribution, but using a full GPG installation includes a gpg-agent.exe, which will memorize your passphrase associated to your GPG key.)

Install gpg4Win Lite, the minimum gnupg command-line interface (take the most recent gpg4win-vanilla-2.X.Y-betaZZ.exe), and complete your PATH with the GPG installation directory:

set PATH=%PATH%:C:\path\to\gpg
copy C:\path\to\gpg\gpg2.exe C:\path\to\gpg\gpg.exe

(Note the 'copy' command: Git will need a Bash script to execute the command 'gpg'. Since gpg4win-vanilla-2 comes with gpg2.exe, you need to duplicate it.)

Create or import a GPG key, and trust it:

gpgp --import aKey
# or
gpg --gen-key
  • Install the credential helper script in a directory within your %PATH%: cd c:\a\fodler\in\your\path curl -o c:\prgs\bin\git-credential-netrc https://raw.githubusercontent.com/git/git/master/contrib/credential/netrc/git-credential-netrc

(Yes, this is a Bash script, but it will work on Windows since it will be called by Git.)

  • Make a _netrc file in clear text machine a_server.corp.com login a_login password a_password protocol https machine a_server2.corp.com login a_login2 password a_password2 protocol https

(Don't forget the 'protocol' part: 'http' or 'https' depending on the URL you will use.)

  • Encrypt that file: gpg -e -r a_recipient _netrc

(You now can delete the _netrc file, keeping only the _netrc.gpg encrypted one.)

  • Use that encrypted file: git config --local credential.helper "netrc -f C:/path/to/_netrc.gpg -v"
C:\path\to...
-v -d

From now on, any Git command using an HTTP(S) URL which requires authentication will decrypt that _netrc.gpg file and use the login/password associated to the server you are contacting. The first time, GPG will ask you for the passphrase of your GPG key, to decrypt the file. The other times, the gpg-agent launched automatically by the first GPG call will provide that passphrase for you.

That way, you can memorize several URLs/logins/passwords in one file, and have it stored on your disk encrypted. I find it more convenient than a "cache" helper", where you need to remember and type (once per session) a different password for each of your remote services, for said password to be cached in memory.

trying the same thing on linux .. git config --local credential.helper "netrc -f /home/me/.netrc.gpg -v -d" ..and i get "git : 'credential-netrc' is not a git command. see 'git --help'"

curl -o c:\prgs\bin\git-credential-netrc https://raw.github.com/git/git/master/contrib/credential/netrc/git-credential-netrc
git-credential-netrc
$PATH
credential-netrc

Well, the _netrc didn't work for me on a Windows 7 PC, but the .netrc worked for youtube-dl with the --netrc argument passed to it.

git - Is there a way to skip password typing when using https:// on Gi...

git authentication github
Rectangle 27 72

TLDR; Use an encrypted netrc file with Git 1.8.3+.

Saving a password for a Git repository HTTPS URL is possible with a ~/.netrc (Unix) or %HOME%/_netrc (note the _) on Windows.

But: That file would store your password in plain text.

Solution: Encrypt that file with GPG (GNU Privacy Guard), and make Git decrypt it each time it needs a password (for push/pull/fetch/clone operation).

(Git has a gpg.exe in its distribution, but using a full GPG installation includes a gpg-agent.exe, which will memorize your passphrase associated to your GPG key.)

Install gpg4Win Lite, the minimum gnupg command-line interface (take the most recent gpg4win-vanilla-2.X.Y-betaZZ.exe), and complete your PATH with the GPG installation directory:

set PATH=%PATH%:C:\path\to\gpg
copy C:\path\to\gpg\gpg2.exe C:\path\to\gpg\gpg.exe

(Note the 'copy' command: Git will need a Bash script to execute the command 'gpg'. Since gpg4win-vanilla-2 comes with gpg2.exe, you need to duplicate it.)

Create or import a GPG key, and trust it:

gpgp --import aKey
# or
gpg --gen-key
  • Install the credential helper script in a directory within your %PATH%: cd c:\a\fodler\in\your\path curl -o c:\prgs\bin\git-credential-netrc https://raw.githubusercontent.com/git/git/master/contrib/credential/netrc/git-credential-netrc

(Yes, this is a Bash script, but it will work on Windows since it will be called by Git.)

  • Make a _netrc file in clear text machine a_server.corp.com login a_login password a_password protocol https machine a_server2.corp.com login a_login2 password a_password2 protocol https

(Don't forget the 'protocol' part: 'http' or 'https' depending on the URL you will use.)

  • Encrypt that file: gpg -e -r a_recipient _netrc

(You now can delete the _netrc file, keeping only the _netrc.gpg encrypted one.)

  • Use that encrypted file: git config --local credential.helper "netrc -f C:/path/to/_netrc.gpg -v"
C:\path\to...
-v -d

From now on, any Git command using an HTTP(S) URL which requires authentication will decrypt that _netrc.gpg file and use the login/password associated to the server you are contacting. The first time, GPG will ask you for the passphrase of your GPG key, to decrypt the file. The other times, the gpg-agent launched automatically by the first GPG call will provide that passphrase for you.

That way, you can memorize several URLs/logins/passwords in one file, and have it stored on your disk encrypted. I find it more convenient than a "cache" helper", where you need to remember and type (once per session) a different password for each of your remote services, for said password to be cached in memory.

trying the same thing on linux .. git config --local credential.helper "netrc -f /home/me/.netrc.gpg -v -d" ..and i get "git : 'credential-netrc' is not a git command. see 'git --help'"

curl -o c:\prgs\bin\git-credential-netrc https://raw.github.com/git/git/master/contrib/credential/netrc/git-credential-netrc
git-credential-netrc
$PATH
credential-netrc

Well, the _netrc didn't work for me on a Windows 7 PC, but the .netrc worked for youtube-dl with the --netrc argument passed to it.

git - Is there a way to skip password typing when using https:// on Gi...

git authentication github
Rectangle 27 178

You now can use an encrypted .netrc (with gpg).

A new read-only credential helper (in contrib/) to interact with the .netrc/.authinfo files has been added.

That script would allow you to use gpg-encrypted netrc files, avoiding the issue of having your credentials stored in a plain text file.

Files with the .gpg extension will be decrypted by GPG before parsing. Multiple -f arguments are OK. They are processed in order, and the first matching entry found is returned via the credential helper protocol.

When no -f option is given, .authinfo.gpg, .netrc.gpg, .authinfo, and .netrc files in your home directory are used in this order.

git config credential.helper '$shortname -f AUTHFILE1 -f AUTHFILE2'

(Note that Git will prepend "git-credential-" to the helper name and look for it in the path.)

# and if you want lots of debugging info:
git config credential.helper '$shortname -f AUTHFILE -d'

#or to see the files opened and data found:
git config credential.helper '$shortname -f AUTHFILE -v'

Update late 2012, With git version 1.7.9+: This answer from Mark Longair details the credential cache mechanism which allows you to not store your password in plain text as shown below.

%HOME%

If you are using Windows 7

run the cmd type this:

setx HOME %USERPROFILE%
C:\Users\"username"

then go to it and make a file called '_netrc'

Note: for Windows, you need a '_netrc' file, not a '.netrc'.

Its content is quite standard (Replace the with your values):

machine <hostname1>
login <login1>
password <password1>
machine <hostname2>
login <login2>
password <password2>

Luke mentions in the comments:

Using the latest version of msysgit on Windows 7, I did not need to set the HOME environment variable. The _netrc file alone did the trick.

This is indeed what I mentioned in "Trying to install github, .ssh dir not there":git-cmd.bat included in msysgit does set the %HOME% environment variable:

@if not exist "%HOME%" @set HOME=%HOMEDRIVE%%HOMEPATH%
@if not exist "%HOME%" @set HOME=%USERPROFILE%

believes in the comments that "it seems that it won't work for http protocol"

However, I answered that netrc is used by curl, and works for http protocol, as shown in this example (look for 'netrc' in the page): . Also used with http protocol here: "_netrc/.netrc alternative to cURL".

A common trap with with netrc support on Windows is that git will bypass using it if an origin https url specifies a user name.

.git/config
_netrc

@Bernd: the HOME environment variable is important, because it isn't defined by default on Windows. You can set that variable to whatever directory you want (it doesn't have to be C:\users\mylogin): for example, at work, I set it to my private remote disk associated with my Windows account, which allows me to switch desktops without having to lose my .ssh or _netrc settings.

@Bernd: check also if your Git repo is on a LAN or WAN (internet) server. You may need to define an http.proxy in your environment variables. Or, on the contrary, to add your server to a no_proxy variable, to avoid trying to access a LAN server over WAN.

Excelent - this is working! I created the file and set the HOME environment variable and it works!

What is the name and value for the environmental variable? Could you be a little more specific VonC

Git - How to use .netrc file on windows to save user and password - St...

windows git authentication
Rectangle 27 178

You now can use an encrypted .netrc (with gpg).

A new read-only credential helper (in contrib/) to interact with the .netrc/.authinfo files has been added.

That script would allow you to use gpg-encrypted netrc files, avoiding the issue of having your credentials stored in a plain text file.

Files with the .gpg extension will be decrypted by GPG before parsing. Multiple -f arguments are OK. They are processed in order, and the first matching entry found is returned via the credential helper protocol.

When no -f option is given, .authinfo.gpg, .netrc.gpg, .authinfo, and .netrc files in your home directory are used in this order.

git config credential.helper '$shortname -f AUTHFILE1 -f AUTHFILE2'

(Note that Git will prepend "git-credential-" to the helper name and look for it in the path.)

# and if you want lots of debugging info:
git config credential.helper '$shortname -f AUTHFILE -d'

#or to see the files opened and data found:
git config credential.helper '$shortname -f AUTHFILE -v'

Update late 2012, With git version 1.7.9+: This answer from Mark Longair details the credential cache mechanism which allows you to not store your password in plain text as shown below.

%HOME%

If you are using Windows 7

run the cmd type this:

setx HOME %USERPROFILE%
C:\Users\"username"

then go to it and make a file called '_netrc'

Note: for Windows, you need a '_netrc' file, not a '.netrc'.

Its content is quite standard (Replace the with your values):

machine <hostname1>
login <login1>
password <password1>
machine <hostname2>
login <login2>
password <password2>

Luke mentions in the comments:

Using the latest version of msysgit on Windows 7, I did not need to set the HOME environment variable. The _netrc file alone did the trick.

This is indeed what I mentioned in "Trying to install github, .ssh dir not there":git-cmd.bat included in msysgit does set the %HOME% environment variable:

@if not exist "%HOME%" @set HOME=%HOMEDRIVE%%HOMEPATH%
@if not exist "%HOME%" @set HOME=%USERPROFILE%

believes in the comments that "it seems that it won't work for http protocol"

However, I answered that netrc is used by curl, and works for http protocol, as shown in this example (look for 'netrc' in the page): . Also used with http protocol here: "_netrc/.netrc alternative to cURL".

A common trap with with netrc support on Windows is that git will bypass using it if an origin https url specifies a user name.

.git/config
_netrc

@Bernd: the HOME environment variable is important, because it isn't defined by default on Windows. You can set that variable to whatever directory you want (it doesn't have to be C:\users\mylogin): for example, at work, I set it to my private remote disk associated with my Windows account, which allows me to switch desktops without having to lose my .ssh or _netrc settings.

@Bernd: check also if your Git repo is on a LAN or WAN (internet) server. You may need to define an http.proxy in your environment variables. Or, on the contrary, to add your server to a no_proxy variable, to avoid trying to access a LAN server over WAN.

Excelent - this is working! I created the file and set the HOME environment variable and it works!

What is the name and value for the environmental variable? Could you be a little more specific VonC

Git - How to use .netrc file on windows to save user and password - St...

windows git authentication
Rectangle 27 12

Since git 1.8.3 (May, 2013), you now can specify an encrypted .netrc for git to use:

A new read-only credential helper (in contrib/credential/netrc/) to interact with the .netrc/.authinfo files has been added.

That script would allow you to use gpg-encrypted netrc files, avoiding the issue of having your credentials stored in a plain text file.

-f|--file AUTHFILE
specify netrc-style files.

Files with the .gpg extension will be decrypted by GPG before parsing. Multiple -f arguments are OK. They are processed in order, and the first matching entry found is returned via the credential helper protocol (see below).

When no -f option is given, .authinfo.gpg, .netrc.gpg, .authinfo, and .netrc files in your home directory are used in this order.

git config credential.helper '$shortname -f AUTHFILE1 -f AUTHFILE2'

(Note that Git will prepend "git-credential-" to the helper name and look for it in the path.)

authentication - Git http - securely remember credentials - Stack Over...

git authentication
Rectangle 27 11

Since git 1.8.3 (May, 2013), you now can specify an encrypted .netrc for git to use:

A new read-only credential helper (in contrib/credential/netrc/) to interact with the .netrc/.authinfo files has been added.

That script would allow you to use gpg-encrypted netrc files, avoiding the issue of having your credentials stored in a plain text file.

-f|--file AUTHFILE
specify netrc-style files.

Files with the .gpg extension will be decrypted by GPG before parsing. Multiple -f arguments are OK. They are processed in order, and the first matching entry found is returned via the credential helper protocol (see below).

When no -f option is given, .authinfo.gpg, .netrc.gpg, .authinfo, and .netrc files in your home directory are used in this order.

git config credential.helper '$shortname -f AUTHFILE1 -f AUTHFILE2'

(Note that Git will prepend "git-credential-" to the helper name and look for it in the path.)

authentication - Git http - securely remember credentials - Stack Over...

git authentication
Rectangle 27 41

If you're using ssh and your private key is encrypted with a passphrase, then you'll still be prompted to enter the passphrase/password for the private key when you do network operations with Git like push, pull, and fetch.

$ eval `ssh-agent -s`
$ ssh-add

In a Windows msysgit Bash, you need to evaluate the output of ssh-agent, but I'm not sure if you need to do the same in other development environments and operating systems.

ssh-add looks for a private key in your home .ssh folder called id_rsa, which is the default name, but you can pass a filepath to a key with a different name.

When you're done with your terminal session, you can shutdown ssh-agent with the kill flag -k:

$ ssh-agent -k
-k

Kill the current agent (given by the SSH_AGENT_PID environment variable).

Also, it can take an optional timeout parameter like so:

$ ssh-add -t <timeout>

where <timeout> is of the format <n>h for <n> hours, <n>m for <n> minutes, and so on.

ssh-agent
-t life

Set a default value for the maximum lifetime of identities added to the agent. The lifetime may be specified in seconds or in a time format specified in sshd_config(5). A lifetime specified for an identity with ssh-add(1) overrides this value. Without this option the default maximum lifetime is forever.

people should be cognizant of the potential dangers of ssh-agent under cygwin [1], though under a local netstat and remote portscan it does not appear that the port specified in /tmp/ssh-foo is accessible to anyone ...?

[1]: http://www.cygwin.com/ml/cygwin/2001-01/msg00063.html

however, note that cygwin's unix domain sockets are FUNDAMENTALLY INSECURE and so i strongly DISCOURAGE usage of ssh-agent under cygwin.

when you run ssh-agent under cygwin it creates AF_UNIX socket in /tmp/ssh-$USERNAME/ directory. under cygwin AF_UNIX sockets are emulated via AF_INET sockets. you can easily see that if you'll look into /tmp/ssh-$USERNAME/agent-socket-* file via notepad. you'll see the something like

!<socket >2080

then run netstat -a and surprise! you have some program listening to port 2080. it's ssh-agent. when ssh receives RSA challenge from server, it refers to corresponding /tmp/ssh-$USERNAME/agent-socket-* (under cygwin, in our case, that means it'll open connection to localhost:2080) and asks ssh-agent to process RSA challenge with private key it has, and then it simply passes response received from ssh-agent to server.

under unix, such scenario works without problems, because unix kernel checks permissions when program tries to access AF_UNIX socket. For AF_INET sockets, however, connections are anonymous (read "insecure"). Imagine, that you have cygwin ssh-agent running. malicious hacker may portscan your box, locate open port used by ssh-agent, open connection to your ssh server, receive RSA challenge from it, send it to your ssh-agent via open port he found, receive RSA response, send it to ssh server and voila, he successfully logged in to your server as you.

Sounds nice and detailed. I took care of https credential helper, and you took care of ssh connections! +1

authentication - Git push requires username and password - Stack Overf...

authentication github git-push git-pull git-clone
Rectangle 27 41

If you're using ssh and your private key is encrypted with a passphrase, then you'll still be prompted to enter the passphrase/password for the private key when you do network operations with Git like push, pull, and fetch.

$ eval `ssh-agent -s`
$ ssh-add

In a Windows msysgit Bash, you need to evaluate the output of ssh-agent, but I'm not sure if you need to do the same in other development environments and operating systems.

ssh-add looks for a private key in your home .ssh folder called id_rsa, which is the default name, but you can pass a filepath to a key with a different name.

When you're done with your terminal session, you can shutdown ssh-agent with the kill flag -k:

$ ssh-agent -k
-k

Kill the current agent (given by the SSH_AGENT_PID environment variable).

Also, it can take an optional timeout parameter like so:

$ ssh-add -t <timeout>

where <timeout> is of the format <n>h for <n> hours, <n>m for <n> minutes, and so on.

ssh-agent
-t life

Set a default value for the maximum lifetime of identities added to the agent. The lifetime may be specified in seconds or in a time format specified in sshd_config(5). A lifetime specified for an identity with ssh-add(1) overrides this value. Without this option the default maximum lifetime is forever.

people should be cognizant of the potential dangers of ssh-agent under cygwin [1], though under a local netstat and remote portscan it does not appear that the port specified in /tmp/ssh-foo is accessible to anyone ...?

[1]: http://www.cygwin.com/ml/cygwin/2001-01/msg00063.html

however, note that cygwin's unix domain sockets are FUNDAMENTALLY INSECURE and so i strongly DISCOURAGE usage of ssh-agent under cygwin.

when you run ssh-agent under cygwin it creates AF_UNIX socket in /tmp/ssh-$USERNAME/ directory. under cygwin AF_UNIX sockets are emulated via AF_INET sockets. you can easily see that if you'll look into /tmp/ssh-$USERNAME/agent-socket-* file via notepad. you'll see the something like

!<socket >2080

then run netstat -a and surprise! you have some program listening to port 2080. it's ssh-agent. when ssh receives RSA challenge from server, it refers to corresponding /tmp/ssh-$USERNAME/agent-socket-* (under cygwin, in our case, that means it'll open connection to localhost:2080) and asks ssh-agent to process RSA challenge with private key it has, and then it simply passes response received from ssh-agent to server.

under unix, such scenario works without problems, because unix kernel checks permissions when program tries to access AF_UNIX socket. For AF_INET sockets, however, connections are anonymous (read "insecure"). Imagine, that you have cygwin ssh-agent running. malicious hacker may portscan your box, locate open port used by ssh-agent, open connection to your ssh server, receive RSA challenge from it, send it to your ssh-agent via open port he found, receive RSA response, send it to ssh server and voila, he successfully logged in to your server as you.

Sounds nice and detailed. I took care of https credential helper, and you took care of ssh connections! +1

authentication - Git push requires username and password - Stack Overf...

authentication github git-push git-pull git-clone
Rectangle 27 41

If you're using ssh and your private key is encrypted with a passphrase, then you'll still be prompted to enter the passphrase/password for the private key when you do network operations with Git like push, pull, and fetch.

$ eval `ssh-agent -s`
$ ssh-add

In a Windows msysgit Bash, you need to evaluate the output of ssh-agent, but I'm not sure if you need to do the same in other development environments and operating systems.

ssh-add looks for a private key in your home .ssh folder called id_rsa, which is the default name, but you can pass a filepath to a key with a different name.

When you're done with your terminal session, you can shutdown ssh-agent with the kill flag -k:

$ ssh-agent -k
-k

Kill the current agent (given by the SSH_AGENT_PID environment variable).

Also, it can take an optional timeout parameter like so:

$ ssh-add -t <timeout>

where <timeout> is of the format <n>h for <n> hours, <n>m for <n> minutes, and so on.

ssh-agent
-t life

Set a default value for the maximum lifetime of identities added to the agent. The lifetime may be specified in seconds or in a time format specified in sshd_config(5). A lifetime specified for an identity with ssh-add(1) overrides this value. Without this option the default maximum lifetime is forever.

people should be cognizant of the potential dangers of ssh-agent under cygwin [1], though under a local netstat and remote portscan it does not appear that the port specified in /tmp/ssh-foo is accessible to anyone ...?

[1]: http://www.cygwin.com/ml/cygwin/2001-01/msg00063.html

however, note that cygwin's unix domain sockets are FUNDAMENTALLY INSECURE and so i strongly DISCOURAGE usage of ssh-agent under cygwin.

when you run ssh-agent under cygwin it creates AF_UNIX socket in /tmp/ssh-$USERNAME/ directory. under cygwin AF_UNIX sockets are emulated via AF_INET sockets. you can easily see that if you'll look into /tmp/ssh-$USERNAME/agent-socket-* file via notepad. you'll see the something like

!<socket >2080

then run netstat -a and surprise! you have some program listening to port 2080. it's ssh-agent. when ssh receives RSA challenge from server, it refers to corresponding /tmp/ssh-$USERNAME/agent-socket-* (under cygwin, in our case, that means it'll open connection to localhost:2080) and asks ssh-agent to process RSA challenge with private key it has, and then it simply passes response received from ssh-agent to server.

under unix, such scenario works without problems, because unix kernel checks permissions when program tries to access AF_UNIX socket. For AF_INET sockets, however, connections are anonymous (read "insecure"). Imagine, that you have cygwin ssh-agent running. malicious hacker may portscan your box, locate open port used by ssh-agent, open connection to your ssh server, receive RSA challenge from it, send it to your ssh-agent via open port he found, receive RSA response, send it to ssh server and voila, he successfully logged in to your server as you.

Sounds nice and detailed. I took care of https credential helper, and you took care of ssh connections! +1

authentication - Git push requires username and password - Stack Overf...

authentication github git-push git-pull git-clone
Rectangle 27 41

If you're using ssh and your private key is encrypted with a passphrase, then you'll still be prompted to enter the passphrase/password for the private key when you do network operations with Git like push, pull, and fetch.

$ eval `ssh-agent -s`
$ ssh-add

In a Windows msysgit Bash, you need to evaluate the output of ssh-agent, but I'm not sure if you need to do the same in other development environments and operating systems.

ssh-add looks for a private key in your home .ssh folder called id_rsa, which is the default name, but you can pass a filepath to a key with a different name.

When you're done with your terminal session, you can shutdown ssh-agent with the kill flag -k:

$ ssh-agent -k
-k

Kill the current agent (given by the SSH_AGENT_PID environment variable).

Also, it can take an optional timeout parameter like so:

$ ssh-add -t <timeout>

where <timeout> is of the format <n>h for <n> hours, <n>m for <n> minutes, and so on.

ssh-agent
-t life

Set a default value for the maximum lifetime of identities added to the agent. The lifetime may be specified in seconds or in a time format specified in sshd_config(5). A lifetime specified for an identity with ssh-add(1) overrides this value. Without this option the default maximum lifetime is forever.

people should be cognizant of the potential dangers of ssh-agent under cygwin [1], though under a local netstat and remote portscan it does not appear that the port specified in /tmp/ssh-foo is accessible to anyone ...?

[1]: http://www.cygwin.com/ml/cygwin/2001-01/msg00063.html

however, note that cygwin's unix domain sockets are FUNDAMENTALLY INSECURE and so i strongly DISCOURAGE usage of ssh-agent under cygwin.

when you run ssh-agent under cygwin it creates AF_UNIX socket in /tmp/ssh-$USERNAME/ directory. under cygwin AF_UNIX sockets are emulated via AF_INET sockets. you can easily see that if you'll look into /tmp/ssh-$USERNAME/agent-socket-* file via notepad. you'll see the something like

!<socket >2080

then run netstat -a and surprise! you have some program listening to port 2080. it's ssh-agent. when ssh receives RSA challenge from server, it refers to corresponding /tmp/ssh-$USERNAME/agent-socket-* (under cygwin, in our case, that means it'll open connection to localhost:2080) and asks ssh-agent to process RSA challenge with private key it has, and then it simply passes response received from ssh-agent to server.

under unix, such scenario works without problems, because unix kernel checks permissions when program tries to access AF_UNIX socket. For AF_INET sockets, however, connections are anonymous (read "insecure"). Imagine, that you have cygwin ssh-agent running. malicious hacker may portscan your box, locate open port used by ssh-agent, open connection to your ssh server, receive RSA challenge from it, send it to your ssh-agent via open port he found, receive RSA response, send it to ssh server and voila, he successfully logged in to your server as you.

Sounds nice and detailed. I took care of https credential helper, and you took care of ssh connections! +1

authentication - Git push requires username and password - Stack Overf...

authentication github git-push git-pull git-clone
Rectangle 27 41

If you're using ssh and your private key is encrypted with a passphrase, then you'll still be prompted to enter the passphrase/password for the private key when you do network operations with Git like push, pull, and fetch.

$ eval `ssh-agent -s`
$ ssh-add

In a Windows msysgit Bash, you need to evaluate the output of ssh-agent, but I'm not sure if you need to do the same in other development environments and operating systems.

ssh-add looks for a private key in your home .ssh folder called id_rsa, which is the default name, but you can pass a filepath to a key with a different name.

When you're done with your terminal session, you can shutdown ssh-agent with the kill flag -k:

$ ssh-agent -k
-k

Kill the current agent (given by the SSH_AGENT_PID environment variable).

Also, it can take an optional timeout parameter like so:

$ ssh-add -t <timeout>

where <timeout> is of the format <n>h for <n> hours, <n>m for <n> minutes, and so on.

ssh-agent
-t life

Set a default value for the maximum lifetime of identities added to the agent. The lifetime may be specified in seconds or in a time format specified in sshd_config(5). A lifetime specified for an identity with ssh-add(1) overrides this value. Without this option the default maximum lifetime is forever.

people should be cognizant of the potential dangers of ssh-agent under cygwin [1], though under a local netstat and remote portscan it does not appear that the port specified in /tmp/ssh-foo is accessible to anyone ...?

[1]: http://www.cygwin.com/ml/cygwin/2001-01/msg00063.html

however, note that cygwin's unix domain sockets are FUNDAMENTALLY INSECURE and so i strongly DISCOURAGE usage of ssh-agent under cygwin.

when you run ssh-agent under cygwin it creates AF_UNIX socket in /tmp/ssh-$USERNAME/ directory. under cygwin AF_UNIX sockets are emulated via AF_INET sockets. you can easily see that if you'll look into /tmp/ssh-$USERNAME/agent-socket-* file via notepad. you'll see the something like

!<socket >2080

then run netstat -a and surprise! you have some program listening to port 2080. it's ssh-agent. when ssh receives RSA challenge from server, it refers to corresponding /tmp/ssh-$USERNAME/agent-socket-* (under cygwin, in our case, that means it'll open connection to localhost:2080) and asks ssh-agent to process RSA challenge with private key it has, and then it simply passes response received from ssh-agent to server.

under unix, such scenario works without problems, because unix kernel checks permissions when program tries to access AF_UNIX socket. For AF_INET sockets, however, connections are anonymous (read "insecure"). Imagine, that you have cygwin ssh-agent running. malicious hacker may portscan your box, locate open port used by ssh-agent, open connection to your ssh server, receive RSA challenge from it, send it to your ssh-agent via open port he found, receive RSA response, send it to ssh server and voila, he successfully logged in to your server as you.

Sounds nice and detailed. I took care of https credential helper, and you took care of ssh connections! +1

authentication - Git push requires username and password - Stack Overf...

authentication github git-push git-pull git-clone
Rectangle 27 41

If you're using ssh and your private key is encrypted with a passphrase, then you'll still be prompted to enter the passphrase/password for the private key when you do network operations with Git like push, pull, and fetch.

$ eval `ssh-agent -s`
$ ssh-add

In a Windows msysgit Bash, you need to evaluate the output of ssh-agent, but I'm not sure if you need to do the same in other development environments and operating systems.

ssh-add looks for a private key in your home .ssh folder called id_rsa, which is the default name, but you can pass a filepath to a key with a different name.

When you're done with your terminal session, you can shutdown ssh-agent with the kill flag -k:

$ ssh-agent -k
-k

Kill the current agent (given by the SSH_AGENT_PID environment variable).

Also, it can take an optional timeout parameter like so:

$ ssh-add -t <timeout>

where <timeout> is of the format <n>h for <n> hours, <n>m for <n> minutes, and so on.

ssh-agent
-t life

Set a default value for the maximum lifetime of identities added to the agent. The lifetime may be specified in seconds or in a time format specified in sshd_config(5). A lifetime specified for an identity with ssh-add(1) overrides this value. Without this option the default maximum lifetime is forever.

people should be cognizant of the potential dangers of ssh-agent under cygwin [1], though under a local netstat and remote portscan it does not appear that the port specified in /tmp/ssh-foo is accessible to anyone ...?

[1]: http://www.cygwin.com/ml/cygwin/2001-01/msg00063.html

however, note that cygwin's unix domain sockets are FUNDAMENTALLY INSECURE and so i strongly DISCOURAGE usage of ssh-agent under cygwin.

when you run ssh-agent under cygwin it creates AF_UNIX socket in /tmp/ssh-$USERNAME/ directory. under cygwin AF_UNIX sockets are emulated via AF_INET sockets. you can easily see that if you'll look into /tmp/ssh-$USERNAME/agent-socket-* file via notepad. you'll see the something like

!<socket >2080

then run netstat -a and surprise! you have some program listening to port 2080. it's ssh-agent. when ssh receives RSA challenge from server, it refers to corresponding /tmp/ssh-$USERNAME/agent-socket-* (under cygwin, in our case, that means it'll open connection to localhost:2080) and asks ssh-agent to process RSA challenge with private key it has, and then it simply passes response received from ssh-agent to server.

under unix, such scenario works without problems, because unix kernel checks permissions when program tries to access AF_UNIX socket. For AF_INET sockets, however, connections are anonymous (read "insecure"). Imagine, that you have cygwin ssh-agent running. malicious hacker may portscan your box, locate open port used by ssh-agent, open connection to your ssh server, receive RSA challenge from it, send it to your ssh-agent via open port he found, receive RSA response, send it to ssh server and voila, he successfully logged in to your server as you.

Sounds nice and detailed. I took care of https credential helper, and you took care of ssh connections! +1

authentication - Git push requires username and password - Stack Overf...

authentication github git-push git-pull git-clone
Rectangle 27 0

TLDR; Use an encrypted netrc file with git 1.8.3+.

Saving a password for git repo https url is possible with a ~/.netrc (Unix) or %HOME%/_netrc (note the _) on Windows.

But: that file would store your password in plain text.

Solution: encrypt that file with gpg (the GNU Privacy Guard), and make git decrypt it each time it needs a password (for push/pull/fetch/clone operation)

(git has a gpg.exe in its distribution, but using a full gpg installation includes a gpg-agent.exe, which will memorize your passphrase associated to your gpg key)

install gpg4Win Lite, the minimum gnupg command-line interface (take the most recent gpg4win-vanilla-2.X.Y-betaZZ.exe), and complete your PATH with the gpg installation directory

set PATH=%PATH%:C:\path\to\gpg
copy C:\path\to\gpg\gpg2.exe C:\path\to\gpg\gpg.exe

(Note the 'copy' command: git will need a bash to execute the command 'gpg'. Since gpg4win-vanilla-2 comes with gpg2.exe, you need to duplicate it)

create or import a gpg key, and trust it

gpgp --import aKey
# or
gpg --gen-key
  • Install the credential helper script in a directory within your %PATH% cd c:\a\fodler\in\your\path curl -o c:\prgs\bin\git-credential-netrc https://raw.githubusercontent.com/git/git/master/contrib/credential/netrc/git-credential-netrc

(yes, this is a bash script, but it will work on Windows since it will be called by git)

  • Make a _netrc file in clear text machine a_server.corp.com login a_login password a_password protocol https machine a_server2.corp.com login a_login2 password a_password2 protocol https

(don't forget the 'protocol' part: 'http' or 'https' depending on the url you will use)

  • encrypt that file gpg -e -r a_recipient _netrc

(you now can delete the _netrc file, keeping only the _netrc.gpg encrypted one)

  • use that encrypted file git config --local credential.helper "netrc -f C:/path/to/_netrc.gpg -v"
C:\path\to...
-v -d

From now on, any git command using an http(s) url which requires authentication will decrypt that _netrc.gpg file and use the login/password associated to the server you are contacting. The first time, gpg will ask you for the passphrase of your gpg key, to decrypt the file. The other times, the gpg-agent launched automatically by the first gpg call will provide that passphrase for you.

That way, you can memorize several url/login/passwords in one file, and have it stored on your disk encrypted. I find it more convenient than a "cache" helper", where you need to remember and type (once per session) a different password for each of your remote services, for said password to be cached in memory.

trying the same thing on linux .. git config --local credential.helper "netrc -f /home/me/.netrc.gpg -v -d" ..and i get "git : 'credential-netrc' is not a git command. see 'git --help'"

curl -o c:\prgs\bin\git-credential-netrc https://raw.github.com/git/git/master/contrib/credential/netrc/git-credential-netrc
git-credential-netrc
$PATH
credential-netrc

Well, the _netrc didn't work for me on a Windows 7 PC, but the .netrc worked for youtube-dl with the --netrc argument passed to it.

git - Is there a way to skip password typing when using https:// githu...

git authentication github
Rectangle 27 0

Encrypting your .netrc allows you to store multiple credentials (to GitHub, and BitBicket, and ...) in one file, and have it used through the git credential helper netrc (git1.8.3+).

It works on Windows (and Linux or Mac). And you can limit the number of minutes/hours during which gpg won't ask you again for the private key passphrase.

Yes, that does seem like a good option, but I don't like the notion of manual steps when it comes to dealing with security. Do you think it would be hard to package it into something more black-boxy like osxkeychain or ssh-agent (is that what ssh's passphrase manager is called?)?

@kermit666 which manual step? Beside the initial encryption of the .netrc file, the rest is entirely automatic (except, obviously, the step where you enter your gpg key passphrase to the gpg-agent).

Well, from what I understand, I have to copy the netrc script to '/usr/local/bin' and make it executable, create the file with the passphrase, set its permissions, encrypt it. In contrast, when using osxkeychain or ssh-agent, I don't have to install anything (part of the OS), they ask me to enter a passphrase into a prompt (not a file) the first time (when first adding something to the keychain / first creating the RSA keypair) and they take care of everything else - only prompt me to unlock it.

@kermit666 I understand, but it does work :) And you can copy the netrc script in any folder present in your PATH. Make sure you have gpg2 installed, not just gpg.

git - How to store your github https password on Linux in a terminal k...

linux git github https keychain
Rectangle 27 0

Make sure your files are not encrypted. I was using Windows workfolders and new files are encrypted. Git in VS is unable to see them.

c# - Visual Studio: Git Team Explorer does not show any changes - Stac...

c# git visual-studio
Rectangle 27 0

TLDR; Use an encrypted netrc file with git 1.8.3+.

Saving a password for git repo https url is possible with a ~/.netrc (Unix) or %HOME%/_netrc (note the _) on Windows.

But: that file would store your password in plain text.

Solution: encrypt that file with gpg (the GNU Privacy Guard), and make git decrypt it each time it needs a password (for push/pull/fetch/clone operation)

(git has a gpg.exe in its distribution, but using a full gpg installation includes a gpg-agent.exe, which will memorize your passphrase associated to your gpg key)

install gpg4Win Lite, the minimum gnupg command-line interface (take the most recent gpg4win-vanilla-2.X.Y-betaZZ.exe), and complete your PATH with the gpg installation directory

set PATH=%PATH%:C:\path\to\gpg
copy C:\path\to\gpg\gpg2.exe C:\path\to\gpg\gpg.exe

(Note the 'copy' command: git will need a bash to execute the command 'gpg'. Since gpg4win-vanilla-2 comes with gpg2.exe, you need to duplicate it)

create or import a gpg key, and trust it

gpgp --import aKey
# or
gpg --gen-key
  • Install the credential helper script in a directory within your %PATH% cd c:\a\fodler\in\your\path curl -o c:\prgs\bin\git-credential-netrc https://raw.githubusercontent.com/git/git/master/contrib/credential/netrc/git-credential-netrc

(yes, this is a bash script, but it will work on Windows since it will be called by git)

  • Make a _netrc file in clear text machine a_server.corp.com login a_login password a_password protocol https machine a_server2.corp.com login a_login2 password a_password2 protocol https

(don't forget the 'protocol' part: 'http' or 'https' depending on the url you will use)

  • encrypt that file gpg -e -r a_recipient _netrc

(you now can delete the _netrc file, keeping only the _netrc.gpg encrypted one)

  • use that encrypted file git config --local credential.helper "netrc -f C:/path/to/_netrc.gpg -v"
C:\path\to...
-v -d

From now on, any git command using an http(s) url which requires authentication will decrypt that _netrc.gpg file and use the login/password associated to the server you are contacting. The first time, gpg will ask you for the passphrase of your gpg key, to decrypt the file. The other times, the gpg-agent launched automatically by the first gpg call will provide that passphrase for you.

That way, you can memorize several url/login/passwords in one file, and have it stored on your disk encrypted. I find it more convenient than a "cache" helper", where you need to remember and type (once per session) a different password for each of your remote services, for said password to be cached in memory.

trying the same thing on linux .. git config --local credential.helper "netrc -f /home/me/.netrc.gpg -v -d" ..and i get "git : 'credential-netrc' is not a git command. see 'git --help'"

curl -o c:\prgs\bin\git-credential-netrc https://raw.github.com/git/git/master/contrib/credential/netrc/git-credential-netrc
git-credential-netrc
$PATH
credential-netrc

Well, the _netrc didn't work for me on a Windows 7 PC, but the .netrc worked for youtube-dl with the --netrc argument passed to it.

git - Is there a way to skip password typing when using https:// githu...

git authentication github
Rectangle 27 0

You could setup an encrypted file with those http credential, in order for git to use them from that encrypted file. That supposes a running gpg agent able t provide the unique password needed to access that credentials gpg-encrypted file.

The url you would use would then be:

https://username@my.stash.repo/scm/lib/my-super-lib.git
username

This leads to unnecessary difficulties with using composer. Each machine (or even user) who wants to use my private repository will have to perform these operation (and thus obviously I don't want to store even username in composer.json). It will be easier to manually clone all dependencies and setup autoloader, which kills all composer features. I hope there is easier way

@ScayTrase I agree. This is for a centralized access (where only one user has to enter his/her credentials, or, in my answer, the gpg key (once per session, not every time). That would be the case if all users could access to a single cloned repo and run the composer from there. But that might not be possible in your case.

php - Composer install\update authentication fails - Stack Overflow

php git composer-php atlassian-stash