3

I am trying to provide a password to git through GIT_ASKPASS like this:

export PASSWORD=<secret>
export GIT_ASKPASS="/usr/bin/echo $PASSWORD"
git clone https://username@domain.com/git-repo/repo.git

But I get:

 error: cannot run /usr/bin/echo <secret>: No such file or directory

So it seems I am not allowed to give parameters in GIT_ASKPASS?

Now I could create a script which just contains:

/usr/bin/echo $PASSWORD

But I am wondering: Is there a way of doing this without creating a temporary script?

Melebius
  • 6,183
  • 4
  • 39
  • 52
Nathan
  • 7,099
  • 14
  • 61
  • 125

3 Answers3

5

The main problem is that the whole variable is interpreted as a program name. So what about making another script, let’s call it password_provider.sh, which would tell us the password?

#! /bin/sh
echo <secret>

Then you can run: export GIT_ASKPASS="./password_provider.sh"

Security notice

Keep in mind that this means storing password in plain text which is generally not a good security practice. You should prefer public key authentication or true credential helper whenever possible.

Melebius
  • 6,183
  • 4
  • 39
  • 52
  • 2
    You could drop the `export` line, and just `echo $PASSWORD`, since the idea here is to inherit the password from the environment. But this is using a script (not necessarily a *temporary* script) so it may be counter to the spirit of the question. :-) It also remains quite insecure, as it is possible to view environment variables of other processes. What is needed in the end is a *credential helper*, and the OP should read up on these. – torek Nov 16 '16 at 11:54
  • @torek Yes, it _is_ insecure but OP explicitly asked for plain `echo`… I’ve added a link for how to use a credential helper. – Melebius Nov 16 '16 at 12:12
  • Yes, I'm just emphasizing that even if you *don't* put the plain-text password into the provider script, it remains insecure (as you pointed out originally!). – torek Nov 16 '16 at 13:02
2

You are looking for echo in the wrong location. Try running whereis echo and substitute that, on a mac echo is located at /bin/echo.

Kevin Doveton
  • 396
  • 3
  • 8
1

The Problem

As others have said, you can't pass arguments within the string. The whole string is interpreted as the command.

# this works
echo foo

# this does not
"echo foo"

Working Solution(s)

I went through every possible iteration of how to do this:

  • SSH Public Keys
    • SSH_ASKPASS
  • API Access Tokens
    • GIT_ASKPASS
    • .gitconfig insteadOf
    • .gitconfig [credential]
    • .git-credentials
    • .netrc

And I compiled a list of EVERY. SINGLE. METHOD. that actually worked.

I actually recommend the .gitconfig insteadOf approach, but for GIT_ASKPASS, this is what I did:

From Git Credentials & Private Packages Cheatsheet

How to create an GIT_ASKPASS script:

echo 'echo $MY_GIT_TOKEN' > $HOME/.git-askpass

How to use it:

export MY_GIT_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
export GIT_ASKPASS=$HOME/.git-askpass
git clone https://token@code.example.com/project.git

The script receives stdin in the form of:

Password for 'scheme://host.tld':

The script receives Git ENVs such as:

GIT_DIR=/Users/me/project/.git
GIT_EXEC_PATH=/usr/local/Cellar/git/2.19.0_1/libexec/git-core
GIT_PREFIX=

More details in the cheatsheet.

coolaj86
  • 74,004
  • 20
  • 105
  • 125