* credentials are being erased from credential manager via git credential-wincred erase command
@ 2016-04-13 18:49 O'Connell, Ken
2016-04-13 19:12 ` Bryan Turner
0 siblings, 1 reply; 3+ messages in thread
From: O'Connell, Ken @ 2016-04-13 18:49 UTC (permalink / raw)
To: git@vger.kernel.org
Good afternoon,
My company setup wincred for management of our git/stash user credentials for our automated build scripts. It works great for days, sometimes a couple weeks.
Then one day build haven't run and we discover the scripts are randomly found at a user prompt awaiting stash user credentials.
We look at Windows Credential Manager store in Windows and find the Stash user credentials are erased from Credential Manager!
We discovered via GIT_TRACE, that the command used to retrieve the credentials, is being followed up by a git command to erase the credentials. -not all the time, but seemingly in a random way.
Looking at the trace logs on one server, we see the following commands:
'git-remote-https' 'origin' https://stash-server/bla/bla/bla.git
'git-credential-wincred' 'get'
'git credential-wincred erase'
Do you have ideas on how to track down the root cause of why this command is running?
Info:
Windows 7 machines
Git version 1.9.5-msysgit, and Git 2.7.4 windows (on one machine to see if upgrading helped) -it did not.
Stash version 3.11.2
Please let me know if I can get any more information to help diagnose.
Thanks,
-Ken
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: credentials are being erased from credential manager via git credential-wincred erase command
2016-04-13 18:49 credentials are being erased from credential manager via git credential-wincred erase command O'Connell, Ken
@ 2016-04-13 19:12 ` Bryan Turner
2016-04-13 22:00 ` Jeff King
0 siblings, 1 reply; 3+ messages in thread
From: Bryan Turner @ 2016-04-13 19:12 UTC (permalink / raw)
To: O'Connell, Ken; +Cc: git@vger.kernel.org
Ken,
I'm one of the developers for Atlassian Bitbucket Server (formerly
Stash), which I believe you're running.
>From the credentials code in Git (which I could be mis-reading; I'm
sure others on the list will correct me if I'm wrong), it appears the
erase is done after a cached credential is rejected by the server.
That implies that, periodically, authentication with your Stash server
is failing and that that failed authentication results in Git clearing
the "bad" credential. That's likely why you see this happen on
seemingly random builds.
To follow up on the possibility that authentication with Stash is
periodically failing, I'd recommend opening a support request at
support.atlassian.com. My belief is that the remote Git client is
doing what it's intended to do in response to an authentication
failure. That suggests we need to look at your Stash instance to
determine why authentication is failing. If you do open a support
request, please mention me in your description so that our support
engineers can attach me to the issue!
Best regards,
Bryan Turner
On Wed, Apr 13, 2016 at 12:49 PM, O'Connell, Ken
<Ken.O'Connell@cognex.com> wrote:
> Good afternoon,
>
> My company setup wincred for management of our git/stash user credentials for our automated build scripts. It works great for days, sometimes a couple weeks.
> Then one day build haven't run and we discover the scripts are randomly found at a user prompt awaiting stash user credentials.
>
> We look at Windows Credential Manager store in Windows and find the Stash user credentials are erased from Credential Manager!
>
> We discovered via GIT_TRACE, that the command used to retrieve the credentials, is being followed up by a git command to erase the credentials. -not all the time, but seemingly in a random way.
> Looking at the trace logs on one server, we see the following commands:
> 'git-remote-https' 'origin' https://stash-server/bla/bla/bla.git
> 'git-credential-wincred' 'get'
> 'git credential-wincred erase'
>
> Do you have ideas on how to track down the root cause of why this command is running?
>
> Info:
> Windows 7 machines
> Git version 1.9.5-msysgit, and Git 2.7.4 windows (on one machine to see if upgrading helped) -it did not.
> Stash version 3.11.2
>
> Please let me know if I can get any more information to help diagnose.
> Thanks,
> -Ken
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe git" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: credentials are being erased from credential manager via git credential-wincred erase command
2016-04-13 19:12 ` Bryan Turner
@ 2016-04-13 22:00 ` Jeff King
0 siblings, 0 replies; 3+ messages in thread
From: Jeff King @ 2016-04-13 22:00 UTC (permalink / raw)
To: Bryan Turner; +Cc: O'Connell, Ken, git@vger.kernel.org
On Wed, Apr 13, 2016 at 01:12:06PM -0600, Bryan Turner wrote:
> From the credentials code in Git (which I could be mis-reading; I'm
> sure others on the list will correct me if I'm wrong), it appears the
> erase is done after a cached credential is rejected by the server.
> That implies that, periodically, authentication with your Stash server
> is failing and that that failed authentication results in Git clearing
> the "bad" credential. That's likely why you see this happen on
> seemingly random builds.
Yes, that's right. For HTTP, Git will erase the credential only for an
HTTP 401 (or a 407 for the proxy credential). So an intermittent failure
shouldn't cause us to erase the credential there.
But it's possible that a server whose credentials are backed by
something more complicated than a password file (e.g., LDAP or
something) may return a 401 intermittently when the backend process
fails (e.g., connection to the LDAP server fails). And I agree with your
second paragraph (that I snipped) that finding the intermittent failure
is the best first step.
We could potentially teach Git _not_ to erase credentials in such a case
(with a config option). But the downside would be that the user would
then have to manually erase and re-populate the credentials if they do
change.
IMHO, that responsibility really lies with the credential helpers
themselves. Helpers like git-credential-wincred are meant to
transparently cache and update credentials. I think for an automated
process like this, what the user really wants is more like "I'll stick
some credentials in a secure place, and I want Git _only_ to access
them, never update them".
You can hack together something like that today with:
git config credential.helper '!f() {
case "$1" in
get|store) git credential-wincred "$@" ;;
esac
}; f'
and then you can populate it with:
echo url=https://example.com |
git credential fill |
git credential approve
The "fill" will prompt you and generate the proper response to feed to
"approve", which will actually store it in your helper of choice. Or you
can just do a "fetch" from the repository in question, and it will
happen automatically.
If this pattern is something a lot of people want to use, I think we
could wrap that shell snippet into a "git credential-static" or
something that chained to another helper, and you'd configure it like:
git config credential.helper 'static wincred'
or something.
-Peff
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-04-13 22:01 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-04-13 18:49 credentials are being erased from credential manager via git credential-wincred erase command O'Connell, Ken
2016-04-13 19:12 ` Bryan Turner
2016-04-13 22:00 ` Jeff King
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).