How to give username/password to git clone in a script, but not store credentials in .git/config

Solution 1:

The method that I use is to actually use a git pull instead of a clone. The script would look like:

mkdir repo
cd repo
git init
git config user.email "email"
git config user.name "user"
git pull https://user:[email protected]/name/repo.git master

This will not store your username or password in .git/config. However, unless other steps are taken, the plaintext username and password will be visible while the process is running from commands that show current processes (e.g. ps).

As brought up in the comments, since this method is using HTTPS you must URL-encode any special characters that may appear in your password as well.

One further suggestion I would make (if you can't use ssh) is to actually use an OAuth token instead of plaintext username/password as it is slightly more secure. You can generate an OAuth token from your profile settings: https://github.com/settings/tokens.

Then using that token the pull command would be

git pull https://$OAUTH_TOKEN:[email protected]/name/repo.git master

Solution 2:

IMO the best solution is using a custom GIT_ASKPASS helper and deliver the password as another environment variable. So for example, create a file git-askpass-helper.sh as:

#!/bin/sh
exec echo "$GIT_PASSWORD"

and then run git clone https://[email protected]/repo with environment variables GIT_ASKPASS=/path/to/git-askpass-helper.sh and GIT_PASSWORD=nuclearlaunchcodes.

This has the advantage that the password won't be visible in the process list too.


Solution 3:

You can enter your connection creds in your ~/.netrc file. Something along the lines of:

machine host.example.net
login bart
password eatmyshorts

Just make sure to chmod that file to 600. If you're using windows, the following link may be useful: https://stackoverflow.com/questions/6031214/git-how-to-use-netrc-file-on-windows-to-save-user-and-password

Personally, I have a tendency to use SSH keys for auth purposes (if you are allowed, of course).


Solution 4:

After going over dozens of SO posts, blogs, etc, I tried out every method, and this is what I came up with. It covers EVERYTHING.

See The Git Credentials & Private Packages Cheatsheet

These are all the ways and tools by which you can securely authenticate git to clone a repository without an interactive password prompt.

  • SSH Public Keys
    • SSH_ASKPASS
  • API Access Tokens
    • GIT_ASKPASS
    • .gitconfig insteadOf
    • .gitconfig [credential]
    • .git-credentials
    • .netrc
  • Bonus: Works with Private Packages
    • node / npm package.json
    • python / pip / eggs requirements.txt
    • ruby gems Gemfile
    • golang go.mod

Best options for no plaintext storage

From what's asked here either SSH Keys, GIT_ASKPASS, or git credential store using the OS Keychain manager might be the best choice.

Since GIT_ASKPASS is probably the least understood of the 3, I'll detail that here - and the others are in the cheatsheet.

GIT_ASKPASS

How to create an GIT_ASKPASS script:

echo 'echo $MY_GIT_TOKEN' > $HOME/.git-askpass

How to use it:

export MY_GIT_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
export GIT_ASKPASS=$HOME/.git-askpass
git clone https://[email protected]/project.git

The script receives stdin in the form of:

Password for 'scheme://host.tld':

The script receives Git ENVs such as:

GIT_DIR=/Users/me/project/.git
GIT_EXEC_PATH=/usr/local/Cellar/git/2.19.0_1/libexec/git-core
GIT_PREFIX=

More details in the cheatsheet.

Tags:

Git