1

I'm new to using Gitlab. My workplace has recently moved from on-prem Git to a cloud-based Gitlab host. I used ssh authentication in the past with our on-prem so never had to deal with credentials hanging around (I'm using Linux) in .git/config or ~/.gitconfig.

If I let git manage my credentials/tokens, with whatever defaults it uses, those creds/tokens end up stored in plaintext in my home directory under ~/.git-credentials or in the .git/config file, which is problematic for various reasons.

I poked around and found Git Credential Manager Core but after getting it installed, as shown in the README, I'm not exactly sure it's working correctly, or I'm misunderstanding how to use it. I ran these commands to get it setup:

  • dpkg -i gcm-linux_amd64.2.0.785.deb
  • git-credential-manager-core configure
  • git config --global credential.credentialStore gpg
  • pass init <gpg-id>

I tried cloning a cloud-based repo using a personal access token, but when I clone it, gpg prompts me for my passphrase, but the token ends up in the .git/config file anyway.

$ git clone https://user-test-token:glpat-w1...xp@gitlabhost.com/my.username/my-repo.git
$ cat .git/config
...
[remote "origin"]
        url = https://user-test-token:glpat-w1...xp@gitlabhost.com/my.username/my-repo.git
...

What am I doing wrong?

Nstevens
  • 267
  • 2
  • 8
  • Does this answer your question? [How can I save username and password in Git?](https://stackoverflow.com/questions/35942754/how-can-i-save-username-and-password-in-git) – Jakob Guldberg Aaes Oct 17 '22 at 20:10
  • 1
    Why not continue to use SSH based authentication? – fredrik Oct 17 '22 at 20:18
  • @JakobGuldbergAaes not really. Anything using `credential.helper` is going to store things in the clear (as far as I can tell). Also, some of those posts mention _just put your credentials in the URL_ which also gets saved in `.git/config` in cleartext also. – Nstevens Oct 18 '22 at 09:44
  • @fredrik our business unit was merged with another entity and this is how it works now. – Nstevens Oct 18 '22 at 09:51
  • @Nstevens "Anything using credential.helper is going to store things in the clear": That has not been my experience on Windows, where it is stored in the Windows Valut (the windows Credential Manager). And Linux should have an equivalent (possibly https://www.passwordstore.org/). You could even use setup netrc as a possible way to encrypt your credentials: [I have done so back in the days, -- pre-GCM](https://stackoverflow.com/a/18362082/6309). – VonC Oct 18 '22 at 11:28
  • I think what @fredrik mean is to add a ssh-key to https:///-/profile/keys – Jakob Guldberg Aaes Oct 18 '22 at 13:25
  • @JakobGuldbergAaes True, however the question is for HTTPS credentials management. – VonC Oct 18 '22 at 13:43

2 Answers2

1

Check if this is a TTY issue

If you are using the gpg credential store in a headless/TTY-only environment, you must ensure you have configured the GPG Agent (gpg-agent) with a suitable pin-entry program for the terminal such as pinentry-tty or pinentry-curses.

If you are not connecting via SSH, or otherwise do not have the SSH_TTY environment variable set, you must set the GPG_TTY environment variable before running GCM.
The easiest way to do this is by adding the following to your profile (~/.bashrc, ~/.profile etc):

export GPG_TTY=$(tty)
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Thanks, that's a good catch but I'm not running headless. I _do_ get the `pinentry-curses` prompt and `SSH_TTY` is currently set to `/dev/pts/2`. I'm reading up on the `pass` utility. I think there's more that I need to do there and it just isn't documented in the GCM info. – Nstevens Oct 18 '22 at 09:58
  • 1
    @Nstevens I agree, https://www.passwordstore.org/ would be your best bet if you are not in an headless environment. – VonC Oct 18 '22 at 11:26
1

In your git clone command, you inserted a personal access token into the remote URL. This is insecure and prevents Git from calling any configured credential helpers. Instead, you should clone with the unadorned remote URL.

Next, Git Credential Manager only supports gitlab.com out the box (see GitLab issue #374172). To use with another GitLab instance such as gitlab.example.com, follow the instructions at https://github.com/git-ecosystem/git-credential-manager/blob/main/docs/gitlab.md .

For what it's worth, you might find it easier to use git-credential-oauth, included in many Linux distributions including Fedora, Debian and Ubuntu.

Colonel Panic
  • 132,665
  • 89
  • 401
  • 465