46

While following a git tutorial, I've made my first push over https today to a remote on git hub, the tutorial mentions the following command to avoid having to keep typing in password details:

git config --global credential.helper wincred

My question is how is this working as a concept? it is the first time I have come across a credential helper. I'm not sure how it works with Windows and Git, where is it being stored and how does it authenticate when I push or pull?

I've tried to search for this online but haven't found any information that explains this in a simple way for someone who is a beginner.

j obe
  • 1,759
  • 4
  • 15
  • 23

4 Answers4

37

If you use wincred for credential.helper, git is using the standard windows Credential Manager to store your credentials.

You can view the Credential Manager from your Control Panel settings.

enter image description here

Gauthaman Sahadevan
  • 923
  • 1
  • 11
  • 19
  • 2
    Thanks @gauthaman I haven't come across credential manager before, so if 2 different people were to use git for windows on the same machine, would they have 2 separate sets of credentials saved? there wouldn't be any chance of mixing up happening? – j obe Jul 12 '16 at 22:44
  • @jobe Not an issue, separate storage and each users separate cert keys secure them – HerbM Nov 10 '18 at 00:22
  • 4
    **Note:** The credentials are stored as "Generic credentials" and typically start with `git:https//...` If you change your Windows password, I recommend to delete those entries and then run `git config --global credential.helper wincred` from the Git console again. Make sure to close and reopen related apps (e.g. Visual Studio) after you've done that. – Matt Apr 11 '19 at 08:22
4

See the MSDN documentation for Windows credential management. The git interface to this just uses the provided API to store your credentials securely. Functions like CredEnumerate and CredWrite get used to check the stored credentials and add or update them.

patthoyts
  • 32,320
  • 3
  • 62
  • 93
  • 1
    Sorry, I looked at the docs but as a beginner I felt it still wasn't very clear in helping me understand. – j obe Jul 12 '16 at 23:17
2

I ran into this recently as well. I kept getting 'unauthorized' to a repository that my standard GitHub account had no problems pulling. It WAS a private repository of course.

So at a top level:

You can either do say a git clone via:

git clone httpS://user:password@githib.com/org/repo.git

Of course, it's a pain every time (and not documented in the git intro pages)

Or, git CLI can store your user name/password in a secure, encrypted store called the Windows Credential Store. This is what you told git to do when you entered git config --global credential.helper wincred.

Then you just do

git clone httpS://githib.com/org/repo.git

and it magically works, using your stored credentials. When Git notices it's a private repository, instead of prompting for user name/password, it goes to the Windows Credential Store and gets your username/password, and uses that. It transmits over https in a secure manner. I'm stressing httpS to show that this only works over https, but if you click the 'copy' command on a Git repository, https is the default.

In theory, git SHOULD prompt you for a user name and password if you omit them, and your user name/password weren't stored; and then store them for subsequent uses. In my case, it didn't. Read on for the fix.

Where is it stored?

Click on "Start" then type "Cred" and go to the Windows Credential Manager.

Then click on "Windows Credentials."

enter image description here

There may be a github entry in the middle of all of the stuff. (This is a good chance to review stored passwords!) In my case, I had the git entry, and I swear I haven't changed the password in ages, but all I had to do was reenter the password and then git clone worked fine with my user name as specified.

To validate where you are set, type

git config --list
http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
http.sslbackend=openssl
... lots of stuff
credential.helper=manager
.... this is important:
user.name=John Q. Public
user.email=example@users.noreply.github.com
winupdater.recentlyseenversion=2.25.0.windows.1
.... more stuff
credential.helper=wincred

I tried to sanitize the juicy bits. You can validate the last line with the CLI command that you entered. To find where "wincred" is, follow the steps above the picture.

Dharman
  • 30,962
  • 25
  • 85
  • 135
J. Gwinner
  • 931
  • 10
  • 15
0

Note: wincred is normally replaced with GCM git-credential-manager from Microsoft, which is cross-platform, and will, on Windows, query the Windows Credential Manager.

But if you are still using wincred, know that most credential helpers ignored unknown entries in a credential description, but a few died upon seeing them.

With Git 2.39 (Q4 2022), wincred was taught to ignore them, too

See commit 630a642, commit 6ea87d9, commit d695804 (22 Sep 2022) by Matthew John Cheetham (mjcheetham).
(Merged by Junio C Hamano -- gitster -- in commit dc6dd55, 10 Oct 2022)

wincred: ignore unknown lines (do not die)

Signed-off-by: Matthew John Cheetham

It is the expectation that credential helpers be liberal in what they accept and conservative in what they return, to allow for future growth and evolution of the protocol/interaction.

All of the other helpers (store, cache, osxkeychain, libsecret, gnome-keyring) except netrc currently ignore any credential lines that are not recognised, whereas the Windows helper (wincred) instead dies.

Fix the discrepancy and ignore unknown lines in the wincred helper.

No more unrecognized input

     /*
     * Ignore other lines; we don't know what they mean, but
     * this future-proofs us when later versions of git do
     * learn new lines, and the helpers are updated to match.
     */
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250