Thread (13 messages) 13 messages, 7 authors, 2023-05-29

Re: The enduring popularity of git-credential-store

From: M Hickford <hidden>
Date: 2022-11-12 02:31:10

On Tue, 8 Nov 2022 at 22:52, brian m. carlson
[off-list ref] wrote:
On 2022-11-08 at 10:50:33, M Hickford wrote:
quoted
Among StackOverflow users [1], git-credential-store appears several
times more popular than any other credential helper. Does this make
anyone else uneasy? The docs warn that git-credential-store "stores
your passwords unencrypted on disk" [2]. Are users sacrificing
security for convenience?
I definitely think there are better approaches.  However, none of the
credential managers for the three major platforms work without a
desktop environment, so if someone's logging in over SSH, then there's
no more secure option that's going to work for them.  Taylor did
mention GCM, but I believe it has the same problem, and even if it
didn't, it's written in C#, which isn't portable to many Unices and
isn't viable on servers anyway due to dependencies.
On my headless Raspberry Pi, I use OAuth access tokens (generated by
GCM) stored in cache with a long timeout. The usability is pretty good
-- once per day I do the OAuth device flow [1] entering a code from
the Raspberry Pi into a device with a web browser [2].

GCM was indeed awkward to install on Linux arm64. I wrote
git-credential-oauth [3][4] in Go to be easier for Linux distros to
package.

[1] https://www.rfc-editor.org/rfc/rfc8628.html
The OAuth 2.0 device authorization grant is designed for Internet-
connected devices that either lack a browser to perform a user-agent-
based authorization or are input constrained to the extent that
requiring the user to input text in order to authenticate during the
authorization flow is impractical.  It enables OAuth clients on such
devices (like smart TVs, media consoles, digital picture frames, and
printers) to obtain user authorization to access protected resources
by using a user agent on a separate device.
[2] https://github.com/login/device
[3] https://github.com/hickford/git-credential-oauth
[4] recent thread on git-credential-oauth
https://lore.kernel.org/git/CAGJzqs=+fCQzkDX53H8Mz-DjXicVVgRmmzPjkatSiOpYO7wGGA@mail.gmail.com/T/#u (local)
[5] device flow support for git-credential-oauth
https://github.com/hickford/git-credential-oauth/pull/9
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help