How to give username/password to git clone in a script, but not store credentials in .git/config
Solution 1:
The method that I use is to actually use a git pull
instead of a clone. The script would look like:
mkdir repo
cd repo
git init
git config user.email "email"
git config user.name "user"
git pull https://user:[email protected]/name/repo.git master
This will not store your username or password in .git/config
. However, unless other steps are taken, the plaintext username and password will be visible while the process is running from commands that show current processes (e.g. ps
).
As brought up in the comments, since this method is using HTTPS you must URL-encode any special characters that may appear in your password as well.
One further suggestion I would make (if you can't use ssh) is to actually use an OAuth token instead of plaintext username/password as it is slightly more secure. You can generate an OAuth token from your profile settings: https://github.com/settings/tokens.
Then using that token the pull command would be
git pull https://$OAUTH_TOKEN:[email protected]/name/repo.git master
Solution 2:
IMO the best solution is using a custom GIT_ASKPASS
helper and deliver the password as another environment variable. So for example, create a file git-askpass-helper.sh
as:
#!/bin/sh
exec echo "$GIT_PASSWORD"
and then run git clone https://username@hostname/repo
with environment variables GIT_ASKPASS=/path/to/git-askpass-helper.sh
and GIT_PASSWORD=nuclearlaunchcodes
.
This has the advantage that the password won't be visible in the process list too.
Solution 3:
You can enter your connection creds in your ~/.netrc
file. Something along the lines of:
machine host.example.net
login bart
password eatmyshorts
Just make sure to chmod that file to 600. If you're using windows, the following link may be useful: https://stackoverflow.com/questions/6031214/git-how-to-use-netrc-file-on-windows-to-save-user-and-password
Personally, I have a tendency to use SSH keys for auth purposes (if you are allowed, of course).
Solution 4:
After going over dozens of SO posts, blogs, etc, I tried out every method, and this is what I came up with. It covers EVERYTHING.
See The Git Credentials & Private Packages Cheatsheet
These are all the ways and tools by which you can securely authenticate git to clone a repository without an interactive password prompt.
- SSH Public Keys
- SSH_ASKPASS
- API Access Tokens
- GIT_ASKPASS
- .gitconfig insteadOf
- .gitconfig [credential]
- .git-credentials
- .netrc
- Bonus: Works with Private Packages
- node / npm package.json
- python / pip / eggs requirements.txt
- ruby gems Gemfile
- golang go.mod
Best options for no plaintext storage
From what's asked here either SSH Keys, GIT_ASKPASS
, or git credential store
using the OS Keychain manager might be the best choice.
Since GIT_ASKPASS is probably the least understood of the 3, I'll detail that here - and the others are in the cheatsheet.
GIT_ASKPASS
How to create an GIT_ASKPASS
script:
echo 'echo $MY_GIT_TOKEN' > $HOME/.git-askpass
How to use it:
export MY_GIT_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
export GIT_ASKPASS=$HOME/.git-askpass
git clone https://[email protected]/project.git
The script receives stdin in the form of:
Password for 'scheme://host.tld':
The script receives Git ENVs such as:
GIT_DIR=/Users/me/project/.git
GIT_EXEC_PATH=/usr/local/Cellar/git/2.19.0_1/libexec/git-core
GIT_PREFIX=
More details in the cheatsheet.