* Password for proxies from external
@ 2021-11-12 13:07 6a50120e
2021-11-12 21:28 ` Jeff King
0 siblings, 1 reply; 2+ messages in thread
From: 6a50120e @ 2021-11-12 13:07 UTC (permalink / raw)
To: git
Hi there!
If searched a lot and everywhere i found the same information...
when i want to set a http-proxy for git, the configuration goes to
~/.gitconfig
```
[http]
proxy = http://username:password@proxy.dings.bums:1234
```
So the proxy password is in cleartext written down to the config-file.
The git own password-store can not be used... even no external like pass.
For aliases i can set something like
```
[alias]
blafoo = "!f() {do something on shell}; f"
```
But this does not work for proxy-settings.
There should be a mechanism to read a password or the credentials from
the shell in proxy-settings. Something like bash-subshell-construct.
```
[http]
proxy = http://$(pass show key|grep login):$(pass show key|head
-n1)@proxy.dings.bums:1234
```
or
```
[http]
proxy = "!u() {pass show key|grep login}; !p() {pass show key|head
-n1}; http://u:p@proxy.dings.bums:1234"
```
This would close the security-hole of cleartext-credentials in
config-files...
thank you
Jakob
--
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Password for proxies from external
2021-11-12 13:07 Password for proxies from external 6a50120e
@ 2021-11-12 21:28 ` Jeff King
0 siblings, 0 replies; 2+ messages in thread
From: Jeff King @ 2021-11-12 21:28 UTC (permalink / raw)
To: 6a50120e; +Cc: git
On Fri, Nov 12, 2021 at 02:07:03PM +0100, 6a50120e@schuerz.at wrote:
> when i want to set a http-proxy for git, the configuration goes to
> ~/.gitconfig
>
> ```
> [http]
> proxy = http://username:password@proxy.dings.bums:1234
>
> ```
>
> So the proxy password is in cleartext written down to the config-file. The
> git own password-store can not be used... even no external like pass.
Have you tried including just the username, like:
[http]
proxy = http://username@example.com:1234
That should prompt for the password, including using your regular
configured credential helpers; see 372370f167 (http: use credential API
to handle proxy authentication, 2016-01-26).
We don't recognize HTTP 407 ("Proxy Authentication Required") to trigger
the username/password lookup, like we do for an HTTP 401. That probably
wouldn't be much code to add, but I suspect it's less important for a
proxy versus a regular site because you only use one proxy (and it
either needs auth or it doesn't).
-Peff
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-11-12 21:28 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-11-12 13:07 Password for proxies from external 6a50120e
2021-11-12 21:28 ` Jeff King
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).