1. Introduction
1.绪论
In recent years, git has seen a sharp rise in popularity over other SCM systems such as subversion. With the rise of free platforms such as GitHub and GitLab, it’s easier than ever to securely version and saves our application code.
近年来,git比其他SCM系统(如subversion)更受欢迎。随着GitHub和GitLab等免费平台的兴起,安全地对我们的应用程序代码进行版本和保存比以往任何时候都要容易。
But constantly typing in credentials can be cumbersome and hard to crate automated CI/CD pipelines. So in this tutorial, we’ll look at how to configure git credentials to prevent having to enter them manually.
但不断地输入凭证会很麻烦,而且很难建立自动化的CI/CD管道。因此,在本教程中,我们将看看如何配置git凭证,以避免手动输入它们。
2. Inputting Credentials
2.输入凭证
Whenever a remote connection requires authentication, git has several ways to look for credentials to use.
每当一个远程连接需要认证时,git有几种方法来寻找要使用的凭证。
Let’s start with the basics, in which no credentials have been configured. If git needs a username and password to access a remote connection, it takes the following steps to prompt the user for input.
让我们从最基本的开始,其中没有配置任何凭证。如果git需要一个用户名和密码来访问远程连接,它会采取以下步骤来提示用户输入。
First, it tries to invoke an application that allows the users to input credentials. The following values are checked (in order) to determine the application to use:
首先,它试图调用一个允许用户输入凭证的应用程序。检查以下数值(按顺序)以确定要使用的应用程序。
- GIT_ASKPASS environment variable
- core.askPass configuration variable
- SSH_ASKPASS environment variable
If any of these are set, the application is invoked, and the user’s input is read from its standard output.
如果其中任何一项被设置,应用程序就会被调用,用户的输入会从其标准输出中读取。
If none of these values are set, git reverts to prompting the user for input on the command line.
如果这些值都没有设置,git会恢复到在命令行上提示用户输入。
3. Storing Credentials
3.储存凭证
Typing in usernames and passwords can be tedious, especially when committing code frequently throughout the day. Typing in passwords manually is error-prone and also makes it difficult to create automated pipelines.
输入用户名和密码可能很乏味,尤其是在一天中频繁提交代码时。手动输入密码容易出错,也使创建自动化管道变得困难。
To help with this, git provides several ways to store usernames and passwords. We’ll look at each way in the following sections.
为了帮助解决这个问题,git提供了几种存储用户名和密码的方法。我们将在下面的章节中讨论每种方式。
3.1. Username and Password in URLs
3.1.URL中的用户名和密码
Some git providers allow embedding username and password together in the repository URL. This can be done when we clone the repository:
一些 git 提供商允许将用户名和密码一起嵌入到仓库的 URL 中。这可以在我们克隆版本库的时候进行。
git clone https://<username>:<password>@gitlab.com/group/project.gitKeep in mind if the password has special characters, they will need to be escaped to prevent the shell from trying to interpret them.
请记住如果密码有特殊字符,它们将需要被转义以防止shell试图解释它们。
Alternatively, we can edit the git config file inside the repository to include the username and password:
另外,我们可以在版本库内编辑git配置文件,加入用户名和密码。
url = https://<username>:<password>@<code class="language-shell">gitlab.com/group/project.gitEither way, remember that the username and password are stored in plain text, so anyone with access to the repository would be able to see them.
无论哪种方式,请记住,用户名和密码是以纯文本形式存储的,所以任何有权限访问版本库的人都可以看到它们。
3.2. Credential Contexts
3.2.凭证背景
Git also allows configuring credentials per context. The following command will configure a specific git context to use a specific username:
Git 也允许为每个上下文配置凭证。下面的命令将配置一个特定的git上下文来使用一个特定的用户名。
git config --global credential.https://github.com.username <your_username>Alternatively, we can directly edit our global git config file. This is typically found in our home directory in a file named .gitconfig, and we would add the following lines:
另外,我们也可以直接编辑我们的全局git配置文件。这个文件通常在我们的主目录下,名为.gitconfig,我们要添加以下几行。
[credential "https://github.com"]
username = <username>This method is also insecure because the username is stored in plain text. It also doesn’t allow storing passwords, so git will continue to prompt for them.
这种方法也是不安全的,因为用户名是以纯文本存储的。它也不允许存储密码,所以git会继续提示密码。
4. Credential Helpers
4.凭证帮助者
Git provides credential helpers to save credentials more securely. Credential helpers can store data in multiple ways and even integrate with 3rd party systems like password keychains.
Git提供了凭证助手来更安全地保存凭证。凭证助手可以以多种方式存储数据,甚至可以与第三方系统(如密码钥匙串)集成。
Out of the box, git provides 2 basic credential helpers:
开箱即用,git提供了2个基本的凭证帮助工具。
- Cache: credentials stored in memory for short durations
- Store: credentials stored indefinitely on disk
We’ll look at each one next.
我们接下来会逐一看一下。
4.1. Cache Credential Helper
4.1.缓存凭证助手
The cache credential helper can be configured as follows:
缓存凭证帮助器可以按以下方式配置。
git config credential.helper cacheThe cache credential helper never writes credentials to disk, although the credentials are accessible using Unix sockets. These sockets are protected using file permissions that are limited to the user who stored them, so generally speaking, they are secure.
缓存凭证帮助器从不将凭证写入磁盘,尽管凭证可以通过Unix套接字访问。这些套接字使用文件权限进行保护,这些权限仅限于存储它们的用户,所以一般说来,它们是安全的。
We can also provide a timeout argument when configuring the cache credential helper. This allows us to control how long the credentials remain in memory:
在配置缓存凭证助手时,我们还可以提供一个timeout参数。这允许我们控制凭证在内存中保留的时间。
git config credential.helper 'cache --timeout=86400'This will save in memory credentials for 1 day after entering them.
这将在输入凭证后在内存中保存1天。
4.2. Store Credential Helper
4.2.存储凭证助手
The store credential helper indefinitely saves credentials to a file. We can configure the store credential helper as follows:
存储凭证帮助器无限期地将凭证保存到一个文件中。我们可以按以下方式配置存储凭证助手。
git config credential.helper store
While the file contents are not encrypted, they are protected using file system access controls to the user that created the file.
虽然文件内容没有被加密,但它们被使用文件系统访问控制来保护创建文件的用户。
By default, the file is stored in the user’s home directory. We can override the file location by passing a file argument to the command:
默认情况下,该文件被存储在用户的主目录下。我们可以通过向命令传递一个file参数来覆盖文件的位置。
git config credential.helper 'store --file=/full/path/to/.git_credentials'4.3. Custom Credential Helpers
4.3.自定义凭证帮助器
Beyond the two default credential helpers mentioned above, it is possible to configure custom helpers. These allow us to do more sophisticated credential management by delegating to 3rd party applications and services.
除了上面提到的两个默认的凭证助手外,还可以配置自定义助手。这些工具允许我们通过委托给第三方应用程序和服务来进行更复杂的凭证管理。
Creating custom credential helpers is not something most users will need to worry about. However, there are several reasons they can be helpful:
创建自定义凭证助手不是大多数用户需要担心的事情。然而,有几个原因可以帮助他们。
- Integrate with Operating System tools such as Keychain on macOS
- Incorporate existing corporate authentication schemes such as LDAP or Active Directory
- Provide additional security mechanisms such as two-factor authentication
5. SSH Keys
5.SSH密钥
Most modern git servers provide a way to access repositories using SSH keys instead of username and password over HTTPS. SSH keys are harder to guess than a password and can easily be revoked if they become compromised.
大多数现代的git服务器提供了一种通过HTTPS使用SSH密钥而不是用户名和密码访问存储库的方法。SSH密钥比密码更难猜测,而且如果它们被泄露,很容易被撤销。
The main downside to using SSH is that it uses non-standard ports. Some networks or proxies may block these ports, making communication with the remote server impossible. They also require additional steps to set up SSH keys on both the server and client, which can be cumbersome in large organizations.
使用SSH的主要缺点是它使用非标准的端口。一些网络或代理可能会阻止这些端口,使得与远程服务器的通信无法进行。它们还需要额外的步骤来设置服务器和客户端的SSH密钥,这在大型组织中可能很麻烦。
The easiest way to enable SSH for a git repository is to use ssh for the protocol when cloning it:
为 git 仓库启用 SSH 的最简单方法是在克隆它时使用 ssh 协议。
git clone git@gitlab.com:group/project.gitFor an existing repository, we can update the remote with the following command:
对于一个现有的版本库,我们可以用下面的命令更新远程。
git remote set-url origin git@gitlab.com:group/project.gitThe process for configuring SSH keys varies slightly for each git server. In general, the steps are:
每个git服务器配置SSH密钥的过程都略有不同。一般来说,其步骤是
- Generate a compatible public/private key combination on your machine
- Upload the public key to your git server
Most Unix/Linux users will already have an SSH key pair created and configured in their home directory and upload the existing public key. As a reminder, we should never upload or otherwise share our private key.
大多数Unix/Linux用户已经在他们的主目录中创建和配置了一个SSH密钥对,并上传现有的公钥。作为提醒,我们不应该上传或以其他方式分享我们的私钥。
6. Conclusion
6.结语
In this tutorial, we have seen various ways to configure git credentials. The most common way is to use the built-in credential helper to store credentials locally in memory or a file on disk. A more sophisticated and secure way to store credentials is by using SSH, although this can be more complex and may not work on all networks.
在本教程中,我们已经看到了配置git凭证的各种方法。最常见的方法是使用内置的凭证助手,将凭证存储在本地内存或磁盘上的文件中。一种更复杂、更安全的存储凭证的方法是使用SSH,尽管这可能更复杂,而且可能不在所有网络上工作。