Re: The enduring popularity of git-credential-store
From: M Hickford <hidden>
Date: 2022-11-12 02:31:10
On Tue, 8 Nov 2022 at 22:52, brian m. carlson [off-list ref] wrote:
On 2022-11-08 at 10:50:33, M Hickford wrote:quoted
Among StackOverflow users [1], git-credential-store appears several times more popular than any other credential helper. Does this make anyone else uneasy? The docs warn that git-credential-store "stores your passwords unencrypted on disk" [2]. Are users sacrificing security for convenience?I definitely think there are better approaches. However, none of the credential managers for the three major platforms work without a desktop environment, so if someone's logging in over SSH, then there's no more secure option that's going to work for them. Taylor did mention GCM, but I believe it has the same problem, and even if it didn't, it's written in C#, which isn't portable to many Unices and isn't viable on servers anyway due to dependencies.
On my headless Raspberry Pi, I use OAuth access tokens (generated by GCM) stored in cache with a long timeout. The usability is pretty good -- once per day I do the OAuth device flow [1] entering a code from the Raspberry Pi into a device with a web browser [2]. GCM was indeed awkward to install on Linux arm64. I wrote git-credential-oauth [3][4] in Go to be easier for Linux distros to package. [1] https://www.rfc-editor.org/rfc/rfc8628.html
The OAuth 2.0 device authorization grant is designed for Internet- connected devices that either lack a browser to perform a user-agent- based authorization or are input constrained to the extent that requiring the user to input text in order to authenticate during the authorization flow is impractical. It enables OAuth clients on such devices (like smart TVs, media consoles, digital picture frames, and printers) to obtain user authorization to access protected resources by using a user agent on a separate device.
[2] https://github.com/login/device [3] https://github.com/hickford/git-credential-oauth [4] recent thread on git-credential-oauth https://lore.kernel.org/git/CAGJzqs=+fCQzkDX53H8Mz-DjXicVVgRmmzPjkatSiOpYO7wGGA@mail.gmail.com/T/#u (local) [5] device flow support for git-credential-oauth https://github.com/hickford/git-credential-oauth/pull/9