3

I have attempted to remove Git's access to private GitHub repositories on GitHub. No matter what I try, I cannot stop it from gaining access. I therefore wish to know how it is authenticating, so I can remove access.

I have tried both methods here

First:

git config --global --unset user.name
git config --global --unset user.email
git config --global --unset credential.helper

and second

git config --global --unset-all

And I've also deleted every github entry in Keychain Access.

When I open a new terminal window, and push to a private GitHub repository, it asks for by username and email (not password), yet the push succeeds.

Question

How can I find out how Git in terminal able to use my GitHub credentials to push a change to GitHub?

Notes

  • I'm connecting to GitHub via HTTPS (rather than SSH)
stevec
  • 41,291
  • 27
  • 223
  • 311
  • 2
    Git doesn't "store" or "access" any GitHub credentials. It knows nothing of authorization. – matt May 21 '21 at 19:48
  • @matt thanks. I'll use the word 'use' in place – stevec May 21 '21 at 19:49
  • @matt corrected. – stevec May 21 '21 at 19:50
  • 1
    But Git isn't even using GitHub credentials. If you are using a `git:` URL for your repo you are doing SSH. So SSH is doing the work. You would want to blow away the `.ssh` entry if you want to unlink yourself entirely from GitHub access. But why would you? It is securely tied to this one computer. – matt May 21 '21 at 19:50
  • The git config is only for commit metadata. It's not using that for authentication. – evolutionxbox May 21 '21 at 19:51
  • @matt I'm using HTTPS. I'll also carlify that too. Thanks for these tips – stevec May 21 '21 at 19:51
  • @evolutionxbox ah. Didn't know that. Do you know what is used for authentication (I guess Git may look in a few places, how can I see what those are, and the order in which it looks)? – stevec May 21 '21 at 19:52
  • I repeat, Git knows nothing of authorization. – matt May 21 '21 at 19:53
  • @matt something communicates with the GitHub API to tell it that I'm me. If you try to commit to the same repo from your computer, it won't work. So *something* is authenticating and sits between git and GitHub. I need to figure out what that is – stevec May 21 '21 at 19:54
  • @matt Regarding *why* I'd want to, I'm [switching from password to token authentication](https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/), and, well, I guess I just want to be very thorough by first ensuring I have fully removed access to GitHub before using the token for authentication. Probably a little obsessive, but it's also good for me to learn how Git/Github authentication works. As you can already tell, I'm not 100% clear on it :) – stevec May 21 '21 at 19:59
  • Not obsessive at all, really, it is correct to switch to PAT. – matt May 21 '21 at 20:01
  • After removing password from keychain did you restart computer? Just a wild and crazy idea. – matt May 21 '21 at 20:02
  • @matt I closed all terminal completely but, no, I didn't restart. Brb – stevec May 21 '21 at 20:03
  • As you've seen, this stuff gets ridiculously complex, very fast. To simplify, realize that Git itself relies on helpers. Some helpers use system data, some use cache files. Each piece of software involved (libcurl, ssh, etc) may have its own tricks, so drilling down to just-HTTPS is wise. Once you get past this point, though, realize that when HTTPS connects to GitHub, HTTPS gives GitHub something—user name, access token, whatever—and then GitHub themselves may do complex things with *that*. – torek May 22 '21 at 01:44

2 Answers2

1

On most macOS systems, the credential.helper variable is not set in the global config, but in the system one, so you still have a credential helper enabled. You can verify this by running git config --get credential.helper, which will probably print osxkeychain.

If your goal is to remove the credentials, you can do that by following the steps outlined in the Git FAQ:

$ echo url=https://username@github.com | git credential reject

If you're just interested in whether the credential helper has any credentials, you can run this:

$ echo url=https://username@github.com | git credential fill | less

That will print a line containing password= with the password. Note that in this case I've piped it to less to prevent it from being printed long-term on the screen.

bk2204
  • 64,793
  • 6
  • 84
  • 100
  • This is very cool but notice that the OP claims to have removed the password from the keychain. – matt May 21 '21 at 20:13
  • Running `git config --get credential.helper` indeed returns `osxkeychain`. When I try `echo url=https://username@github.com | git credential reject` (replacing username with my actual GitHub username) it doesn't error (no messages either), but I can still open a new terminal window and push to a private repository. – stevec May 21 '21 at 20:22
  • Try running `echo url=https://github.com | git credential fill | less` to see if you have _any_ credentials for GitHub in your credential manager. Also, do you have any entries in a `~/.netrc` file? That can be used by libcurl, which Git uses for HTTPS. – bk2204 May 21 '21 at 20:54
  • `echo url=https://github.com | git credential fill` indeed displays my username and password. Do you know how/where it's getting them, and how to remove it so that it no longer has them? – stevec May 22 '21 at 04:01
  • [Updating credentials from the macOS Keychain: Deleting your credentials via the command line](https://docs.github.com/en/github/getting-started-with-github/getting-started-with-git/updating-credentials-from-the-macos-keychain#deleting-your-credentials-via-the-command-line) – srage May 22 '21 at 04:12
  • @drruruu [Updating credentials from the macOS Keychain: Deleting your credentials via the command line](https://docs.github.com/en/github/getting-started-with-github/getting-started-with-git/updating-credentials-from-the-macos-keychain#deleting-your-credentials-via-the-command-line) worked. Please make it an answer – stevec May 22 '21 at 05:02
1

Per the GitHub Docs, for macOS:

Through the command line, you can use the credential helper directly to erase the keychain entry.

$ git credential-osxkeychain erase
host=github.com
protocol=https
> [Press Return]

If it's successful, nothing will print out. To test that it works, try and clone a private repository from GitHub. If you are prompted for a password, the keychain entry was deleted.

srage
  • 990
  • 1
  • 9
  • 27