From: M Hickford <mirth.hickford@gmail.com>
To: "brian m. carlson" <sandals@crustytoothpaste.net>,
M Hickford <mirth.hickford@gmail.com>,
git@vger.kernel.org, "peff@peff.net" <peff@peff.net>
Subject: Re: The enduring popularity of git-credential-store
Date: Sat, 12 Nov 2022 02:30:22 +0000 [thread overview]
Message-ID: <CAGJzqskHSn973AaXLV3btAZistH0jH87JJbG1CabbDnLJBkRzA@mail.gmail.com> (raw)
In-Reply-To: <Y2rdw7RD8mGTF40w@tapette.crustytoothpaste.net>
On Tue, 8 Nov 2022 at 22:52, brian m. carlson
<sandals@crustytoothpaste.net> wrote:
>
> On 2022-11-08 at 10:50:33, M Hickford wrote:
> > Among StackOverflow users [1], git-credential-store appears several
> > times more popular than any other credential helper. Does this make
> > anyone else uneasy? The docs warn that git-credential-store "stores
> > your passwords unencrypted on disk" [2]. Are users sacrificing
> > security for convenience?
>
> I definitely think there are better approaches. However, none of the
> credential managers for the three major platforms work without a
> desktop environment, so if someone's logging in over SSH, then there's
> no more secure option that's going to work for them. Taylor did
> mention GCM, but I believe it has the same problem, and even if it
> didn't, it's written in C#, which isn't portable to many Unices and
> isn't viable on servers anyway due to dependencies.
On my headless Raspberry Pi, I use OAuth access tokens (generated by
GCM) stored in cache with a long timeout. The usability is pretty good
-- once per day I do the OAuth device flow [1] entering a code from
the Raspberry Pi into a device with a web browser [2].
GCM was indeed awkward to install on Linux arm64. I wrote
git-credential-oauth [3][4] in Go to be easier for Linux distros to
package.
[1] https://www.rfc-editor.org/rfc/rfc8628.html
> The OAuth 2.0 device authorization grant is designed for Internet-
> connected devices that either lack a browser to perform a user-agent-
> based authorization or are input constrained to the extent that
> requiring the user to input text in order to authenticate during the
> authorization flow is impractical. It enables OAuth clients on such
> devices (like smart TVs, media consoles, digital picture frames, and
> printers) to obtain user authorization to access protected resources
> by using a user agent on a separate device.
[2] https://github.com/login/device
[3] https://github.com/hickford/git-credential-oauth
[4] recent thread on git-credential-oauth
https://lore.kernel.org/git/CAGJzqs=+fCQzkDX53H8Mz-DjXicVVgRmmzPjkatSiOpYO7wGGA@mail.gmail.com/T/#u
[5] device flow support for git-credential-oauth
https://github.com/hickford/git-credential-oauth/pull/9
next prev parent reply other threads:[~2022-11-12 2:31 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-08 10:50 The enduring popularity of git-credential-store M Hickford
2022-11-08 12:00 ` Michal Suchánek
2022-11-08 15:41 ` Jeff King
2022-11-08 21:03 ` Taylor Blau
2023-02-11 7:11 ` M Hickford
2022-11-08 22:52 ` brian m. carlson
2022-11-12 2:30 ` M Hickford [this message]
2022-11-17 17:17 ` Matthew John Cheetham
2022-11-17 18:51 ` Jeff King
2022-11-17 19:29 ` Lessley Dennington
2022-11-17 20:43 ` Jeff King
2023-05-29 9:53 ` M Hickford
2023-05-28 19:33 ` M Hickford
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGJzqskHSn973AaXLV3btAZistH0jH87JJbG1CabbDnLJBkRzA@mail.gmail.com \
--to=mirth.hickford@gmail.com \
--cc=git@vger.kernel.org \
--cc=peff@peff.net \
--cc=sandals@crustytoothpaste.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).