* [http] Git error messages reveal password encoded in the URL @ 2010-07-19 17:00 Ketan Padegaonkar 2010-07-19 21:02 ` Jakub Narebski 0 siblings, 1 reply; 8+ messages in thread From: Ketan Padegaonkar @ 2010-07-19 17:00 UTC (permalink / raw) To: git-dev Hi, We use http to serve our git repos, in order for git to not ask me a username/password everytime, I've put the following in my .git/config: [remote "origin"] url = https://user:pass@host/repo.git What is discerning is that every time git encounters a problem connecting to the repo, I get the following error containing both my username and password. error: Couldn't resolve host 'host' while accessing https://user:pass@host/repo.git/info/refs I would like to suggest that the password be removed/masked from this error message. -- Ketan http://ketan.padegaonkar.name | http://eclipse.org/swtbot ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [http] Git error messages reveal password encoded in the URL 2010-07-19 17:00 [http] Git error messages reveal password encoded in the URL Ketan Padegaonkar @ 2010-07-19 21:02 ` Jakub Narebski 2010-07-19 21:05 ` Jacob Helwig 0 siblings, 1 reply; 8+ messages in thread From: Jakub Narebski @ 2010-07-19 21:02 UTC (permalink / raw) To: Ketan Padegaonkar; +Cc: git-dev Ketan Padegaonkar <ketanpadegaonkar@gmail.com> writes: > We use http to serve our git repos, in order for git to not ask me a > username/password everytime, Errr... WTF? Can't you configure SSH (use ssh-add, perhaps together with tool such as keychain) to use public key based authentication? > I've put the following in my .git/config: > > [remote "origin"] > url = https://user:pass@host/repo.git > > What is discerning is that every time git encounters a problem > connecting to the repo, I get the following error containing both my > username and password. > > error: Couldn't resolve host 'host' while accessing > https://user:pass@host/repo.git/info/refs > > I would like to suggest that the password be removed/masked from this > error message. Which git version do you use? I recall vaguely that something was done in this direction (masking passwords in URLs). -- Jakub Narebski Poland ShadeHawk on #git ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [http] Git error messages reveal password encoded in the URL 2010-07-19 21:02 ` Jakub Narebski @ 2010-07-19 21:05 ` Jacob Helwig 2010-07-19 21:10 ` Jakub Narebski 0 siblings, 1 reply; 8+ messages in thread From: Jacob Helwig @ 2010-07-19 21:05 UTC (permalink / raw) To: Jakub Narebski; +Cc: Ketan Padegaonkar, git-dev On Mon, Jul 19, 2010 at 14:02, Jakub Narebski <jnareb@gmail.com> wrote: > Ketan Padegaonkar <ketanpadegaonkar@gmail.com> writes: > >> We use http to serve our git repos, in order for git to not ask me a >> username/password everytime, > > Errr... WTF? Can't you configure SSH (use ssh-add, perhaps together with > tool such as keychain) to use public key based authentication? > I don't think SSH/ssh-agent/pubkey would actually help, given that it's a https URL. Unless I'm missing something here? >> I've put the following in my .git/config: >> >> [remote "origin"] >> url = https://user:pass@host/repo.git >> ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [http] Git error messages reveal password encoded in the URL 2010-07-19 21:05 ` Jacob Helwig @ 2010-07-19 21:10 ` Jakub Narebski 2010-07-19 21:16 ` Jacob Helwig 0 siblings, 1 reply; 8+ messages in thread From: Jakub Narebski @ 2010-07-19 21:10 UTC (permalink / raw) To: Jacob Helwig; +Cc: Ketan Padegaonkar, git-dev Dnia poniedziałek 19. lipca 2010 23:05, Jacob Helwig napisał: > On Mon, Jul 19, 2010 at 14:02, Jakub Narebski <jnareb@gmail.com> wrote: >> Ketan Padegaonkar <ketanpadegaonkar@gmail.com> writes: >> >>> We use http to serve our git repos, in order for git to not ask me a >>> username/password everytime, >> >> Errr... WTF? Can't you configure SSH (use ssh-add, perhaps together with >> tool such as keychain) to use public key based authentication? >> > > I don't think SSH/ssh-agent/pubkey would actually help, given that > it's a https URL. Unless I'm missing something here? I was referring to 'we use http [...] _in order_ for git to not ask me a username/password everywhere'. I just noted that you can make git not ask a username/password everywhere when using ssh:// URLs. -- Jakub Narebski Poland ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [http] Git error messages reveal password encoded in the URL 2010-07-19 21:10 ` Jakub Narebski @ 2010-07-19 21:16 ` Jacob Helwig 2010-07-19 23:25 ` Ketan Padegaonkar 0 siblings, 1 reply; 8+ messages in thread From: Jacob Helwig @ 2010-07-19 21:16 UTC (permalink / raw) To: Jakub Narebski; +Cc: Ketan Padegaonkar, git-dev On Mon, Jul 19, 2010 at 14:10, Jakub Narebski <jnareb@gmail.com> wrote: > Dnia poniedziałek 19. lipca 2010 23:05, Jacob Helwig napisał: >> On Mon, Jul 19, 2010 at 14:02, Jakub Narebski <jnareb@gmail.com> wrote: >>> Ketan Padegaonkar <ketanpadegaonkar@gmail.com> writes: >>> >>>> We use http to serve our git repos, in order for git to not ask me a >>>> username/password everytime, >>> >>> Errr... WTF? Can't you configure SSH (use ssh-add, perhaps together with >>> tool such as keychain) to use public key based authentication? >>> >> >> I don't think SSH/ssh-agent/pubkey would actually help, given that >> it's a https URL. Unless I'm missing something here? > > I was referring to 'we use http [...] _in order_ for git to not ask me > a username/password everywhere'. I just noted that you can make git > not ask a username/password everywhere when using ssh:// URLs. > Ah, I read it to mean "We use HTTP. I encode the user and password in the URL to prevent it from asking all the time", not "We use HTTP with an encoded user and password to prevent it from asking". If it's the latter, then you're definitely right: Using SSH + pubkey authentication is probably a _much_ better choice. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [http] Git error messages reveal password encoded in the URL 2010-07-19 21:16 ` Jacob Helwig @ 2010-07-19 23:25 ` Ketan Padegaonkar 2010-07-20 0:41 ` Jakub Narebski 0 siblings, 1 reply; 8+ messages in thread From: Ketan Padegaonkar @ 2010-07-19 23:25 UTC (permalink / raw) To: Jacob Helwig; +Cc: Jakub Narebski, git-dev On 7/19/10 2:16 PM, Jacob Helwig wrote: > On Mon, Jul 19, 2010 at 14:10, Jakub Narebski<jnareb@gmail.com> wrote: >> Dnia poniedziałek 19. lipca 2010 23:05, Jacob Helwig napisał: >>> On Mon, Jul 19, 2010 at 14:02, Jakub Narebski<jnareb@gmail.com> wrote: >>>> Ketan Padegaonkar<ketanpadegaonkar@gmail.com> writes: >>>> >>>>> We use http to serve our git repos, in order for git to not ask me a >>>>> username/password everytime, Apologies. I used the wrong punctuation. It should read as: We use https+basic auth to serve up git repos. Unfortunately SSH is not an option for various reasons. In order for git to not ask me the username/password, I 'encoded' the username/password into the url. I'm using git v1.7.1.1 on MacOSX Leopard. I can see the same behavior on master (rev 24e7a5). -- Ketan http://ketan.padegaonkar.name | http://eclipse.org/swtbot ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [http] Git error messages reveal password encoded in the URL 2010-07-19 23:25 ` Ketan Padegaonkar @ 2010-07-20 0:41 ` Jakub Narebski 2010-07-20 7:46 ` Tay Ray Chuan 0 siblings, 1 reply; 8+ messages in thread From: Jakub Narebski @ 2010-07-20 0:41 UTC (permalink / raw) To: Ketan Padegaonkar; +Cc: Jacob Helwig, git-dev Dnia wtorek 20. lipca 2010 01:25, Ketan Padegaonkar napisał: > On 7/19/10 2:16 PM, Jacob Helwig wrote: >> On Mon, Jul 19, 2010 at 14:10, Jakub Narebski<jnareb@gmail.com> wrote: >>> Dnia poniedziałek 19. lipca 2010 23:05, Jacob Helwig napisał: >>>> On Mon, Jul 19, 2010 at 14:02, Jakub Narebski<jnareb@gmail.com> wrote: >>>>> Ketan Padegaonkar<ketanpadegaonkar@gmail.com> writes: >>>>> >>>>>> We use http to serve our git repos, in order for git to not ask me a >>>>>> username/password everytime, > > Apologies. I used the wrong punctuation. It should read as: > > We use https+basic auth to serve up git repos. Unfortunately SSH is not > an option for various reasons. Is it because of firewall, or it is the issue with issuing shell accounts? If the latter, you can use tools such as gitosis or gitolite which need only one single shell account, and control access via public key infrastructure. > > In order for git to not ask me the username/password, I 'encoded' the > username/password into the url. Can't you use ~/.netrc file[1] instead? As far as I see this would not show password info on error. Not that the current situation should not be fixed, but it might be worthwhile workaround for a time. The ~/.netrc file would look like this for your example: machine host login user password pass You should of course `chmod 600 ~/.netrc` [1] This is unfortunately underdocumented: only this documentation Documentation/howto/setup-git-server-over-http.txt mentions ~/.netrc file. I think that handling the $HOME/.netrc is done by the curl library that git uses, see libcurl-tutorial(3) manpage. > I'm using git v1.7.1.1 on MacOSX Leopard. I can see the same behavior on > master (rev 24e7a5). -- Jakub Narebski Poland ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [http] Git error messages reveal password encoded in the URL 2010-07-20 0:41 ` Jakub Narebski @ 2010-07-20 7:46 ` Tay Ray Chuan 0 siblings, 0 replies; 8+ messages in thread From: Tay Ray Chuan @ 2010-07-20 7:46 UTC (permalink / raw) To: Jakub Narebski; +Cc: Ketan Padegaonkar, Jacob Helwig, git-dev Hi: On Tue, Jul 20, 2010 at 8:41 AM, Jakub Narebski <jnareb@gmail.com> wrote: > Dnia wtorek 20. lipca 2010 01:25, Ketan Padegaonkar napisał: [snip] > Can't you use ~/.netrc file[1] instead? As far as I see this would not > show password info on error. Not that the current situation should > not be fixed, but it might be worthwhile workaround for a time. > > The ~/.netrc file would look like this for your example: > > machine host > login user > password pass > > You should of course `chmod 600 ~/.netrc` > > [1] This is unfortunately underdocumented: only this documentation > Documentation/howto/setup-git-server-over-http.txt mentions ~/.netrc > file. I think that handling the $HOME/.netrc is done by the curl > library that git uses, see libcurl-tutorial(3) manpage. +1 This is the only way I know of to "hide" your password. Of course, depending on your authentication scheme, your efforts for this setup may prove worthless. -- Cheers, Ray Chuan ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2010-07-20 7:46 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-07-19 17:00 [http] Git error messages reveal password encoded in the URL Ketan Padegaonkar 2010-07-19 21:02 ` Jakub Narebski 2010-07-19 21:05 ` Jacob Helwig 2010-07-19 21:10 ` Jakub Narebski 2010-07-19 21:16 ` Jacob Helwig 2010-07-19 23:25 ` Ketan Padegaonkar 2010-07-20 0:41 ` Jakub Narebski 2010-07-20 7:46 ` Tay Ray Chuan
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).