On Tue, Apr 02, 2013 at 04:05:51PM -0400, Jeff King wrote:
> On Tue, Apr 02, 2013 at 10:47:51PM +0300, Mikko Rapeli wrote:
> > Don't know anything about curl but maybe git could parse the url for a
> > username and prompt for the password before the first 401 failure roundtrip
> > that's now in place. I guess most of this logic is in http.c.
> We used to do that but stopped, as curl might also be able to retrieve
> the password from .netrc; the extra prompt was an annoyance to users
> in this situation.

Ok, I think I've seen this before and ended up storing passwords in .netrc.

> Now that we have the credential subsystem, I would recommend dropping
> usernames from all git-over-http URLs, and either:
>   1. Using a credential helper that supports secure long-term storage
>      (osxkeychain, wincred, etc).
>   2. Specifying the username to the credential subsystem explicitly, by
>      putting something like:
>        [credential "https://yourhost/";]
>               username = yourusername
>      in your git config.
> Obviously (1) is nicer, but you may have corporate policies against
> storing credentials. Or you may have a complicated single sign-on
> procedure, where the password changes. In that case, I would still say
> it is worth writing a custom helper script that can feed the temporary
> credential to git.

Thanks, I'll have a look at these helpers. Policies we may have but in
practice I think many just store plaintext passwords in giturls, which
is obviously the worst case, but it works against accidental typos in
the password prompt (though blows up when the mandatory password change
comes along).

To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to