名字
gitcredentials - 向 Git 提供用户名和密码
概要
git config credential.https://example.com.username myusername
git config credential.helper "$helper $options"
描述
Git 有时需要用户的凭据才能执行 操作;例如,它可能需要要求提供用户名和密码 以便通过 HTTP 访问远程存储库。有些遥控器接受 个人访问令牌或 OAuth 访问令牌作为密码。这 manual 描述了 Git 用于请求这些凭据的机制, 以及一些功能,以避免重复输入这些凭据。
请求凭据
在未定义任何凭据帮助程序的情况下,Git 将尝试以下操作 要求用户输入用户名和密码的策略:
-
如果设置了环境变量,则程序 指定的变量被调用。提供了适当的提示 到命令行上的程序,并读取用户的输入 从其标准输出。
GIT_ASKPASS
-
否则,如果设置了配置变量,则其 value 的使用如上所述。
core.askPass
-
否则,如果设置了环境变量,则其 value 的使用如上所述。
SSH_ASKPASS
-
否则,系统会在终端上提示用户。
避免重复
一遍又一遍地输入相同的凭据可能很麻烦。Git 的 提供了两种方法来减少这种烦恼:
-
给定身份验证上下文的用户名的静态配置。
-
用于缓存或存储密码或与之交互的凭据帮助程序 系统密码钱包或钥匙串。
如果您没有可用的安全存储,则第一种是简单且合适的 获取密码。它通常通过将其添加到您的配置中来配置:
[credential "https://example.com"]
username = me
另一方面,凭据助手是 Git 可以从中获取的外部程序 要求提供用户名和密码;它们通常与安全 操作系统或其他程序提供的存储。或者,一个 凭据生成帮助程序可能会通过以下方式为某些服务器生成凭据 一些 API。
若要使用帮助程序,必须首先选择要使用的帮助程序。目前 Git 包括以下帮助程序:
缓存
在内存中缓存凭据一小段时间。有关详细信息,请参阅 git-credential-cache[1]。
商店
将凭据无限期地存储在磁盘上。有关详细信息,请参阅 git-credential-store[1]。
您可能还安装了第三方帮助程序;在 的输出中搜索 ,并查阅 单个助手的文档。选择助手后, 你可以告诉 Git 使用它,方法是将它的名字放在 credential.helper 变量。credential-*
git help -a
-
寻找帮手。
$ git help -a | grep credential- credential-foo
-
阅读其说明。
$ git help credential-foo
-
告诉 Git 使用它。
$ git config --global credential.helper foo
可用的帮助程序
社区在 Git credential helpers 维护着 Git 凭据帮助程序的完整列表。
OAuth的
输入密码或个人访问令牌的替代方法是使用 OAuth 凭据帮助程序。初始身份验证将打开一个浏览器窗口,显示 主机。后续身份验证在后台进行。许多流行的 Git 主机支持 OAuth。
凭据上下文
Git 认为每个凭据都有一个由 URL 定义的上下文。这一背景 用于查找特定于上下文的配置,并传递给任何 帮助程序,可以将其用作安全存储的索引。
例如,假设我们正在访问 .当 Git 查看配置文件以查看某个部分是否与此上下文匹配,它将 如果上下文是 配置文件中的模式。例如,如果您的配置文件中有以下内容:https://example.com/foo.git
[credential "https://example.com"]
username = foo
then we will match: both protocols are the same, both hosts are the same, and the "pattern" URL does not care about the path component at all. However, this context would not match:
[credential "https://kernel.org"]
username = foo
because the hostnames differ. Nor would it match ; Git compares hostnames exactly, without considering whether two hosts are part of the same domain. Likewise, a config entry for would not match: Git compares the protocols exactly. However, you may use wildcards in the domain name and other pattern matching techniques as with the options.foo.example.com
http://example.com
http.
If the "pattern" URL does include a path component, then this too must match exactly: the context will match a config entry for (in addition to matching the config entry for ) but will not match a config entry for .https://example.com/bar/baz.git
https://example.com/bar/baz.git
https://example.com
https://example.com/bar
CONFIGURATION OPTIONS
Options for a credential context can be configured either in (which applies to all credentials), or , where credential.*
credential.
The following options are available in either location:
helper
The name of an external credential helper, and any associated options. If the helper name is not an absolute path, then the string is prepended. The resulting string is executed by the shell (so, for example, setting this to will execute via the shell. See the manual of specific helpers for examples of their use.git credential-
foo --option=bar
git credential-foo --option=bar
If there are multiple instances of the configuration variable, each helper will be tried in turn, and may provide a username, password, or nothing. Once Git has acquired both a username and a non-expired password, no more helpers will be tried.credential.helper
If is configured to the empty string, this resets the helper list to empty (so you may override a helper set by a lower-priority config file by configuring the empty-string helper, followed by whatever set of helpers you would like).credential.helper
username
A default username, if one is not provided in the URL.
useHttpPath
By default, Git does not consider the "path" component of an http URL to be worth matching via external helpers. This means that a credential stored for will also be used for . If you do want to distinguish these cases, set this option to .https://example.com/foo.git
https://example.com/bar.git
true
CUSTOM HELPERS
You can write your own custom helpers to interface with any system in which you keep credentials.
Credential helpers are programs executed by Git to fetch or save credentials from and to long-term storage (where "long-term" is simply longer than a single Git process; e.g., credentials may be stored in-memory for a few minutes, or indefinitely on disk).
Each helper is specified by a single string in the configuration variable (and others, see git-config[1]). The string is transformed by Git into a command to be executed using these rules:credential.helper
-
If the helper string begins with "!", it is considered a shell snippet, and everything after the "!" becomes the command.
-
Otherwise, if the helper string begins with an absolute path, the verbatim helper string becomes the command.
-
Otherwise, the string "git credential-" is prepended to the helper string, and the result becomes the command.
The resulting command then has an "operation" argument appended to it (see below for details), and the result is executed by the shell.
Here are some example specifications:
# run "git credential-foo"
[credential]
helper = foo
# same as above, but pass an argument to the helper
[credential]
helper = "foo --bar=baz"
# the arguments are parsed by the shell, so use shell
# quoting if necessary
[credential]
helper = "foo --bar='whitespace arg'"
# you can also use an absolute path, which will not use the git wrapper
[credential]
helper = "/path/to/my/helper --with-arguments"
# or you can specify your own shell snippet
[credential "https://example.com"]
username = your_user
helper = "!f() { test \"$1\" = get && echo \"password=$(cat $HOME/.secret)\"; }; f"
Generally speaking, rule (3) above is the simplest for users to specify. Authors of credential helpers should make an effort to assist their users by naming their program "git-credential-$NAME", and putting it in the or during installation, which will allow a user to enable it with .$PATH
$GIT_EXEC_PATH
git config credential.helper $NAME
When a helper is executed, it will have one "operation" argument appended to its command line, which is one of:
get
Return a matching credential, if any exists.
store
存储凭据(如果适用于帮助程序)。
erase
从帮助程序的存储中删除匹配的凭据(如果有)。
凭据的详细信息将在帮助程序的 stdin 上提供 流。确切的格式与管道命令的输入/输出格式相同(有关详细规范,请参阅 git-credential[1] 中的部分)。git credential
INPUT/OUTPUT FORMAT
对于操作,帮助程序应生成 stdout 格式相同(参见 git-credential[1] 属性)。帮助程序可以自由地生成子集,甚至不生成任何值 如果它没有提供任何有用的东西。任何提供的属性都将 覆盖 Git 的凭据子系统已知的那些。 无法识别的属性将被静默丢弃。get
虽然可以覆盖所有属性,但行为良好的助手 应避免对 username 以外的任何属性这样做,并且 密码。
如果帮助程序输出值为 或 的属性, 不会再咨询帮助程序,也不会提示用户 (如果未提供凭据,则操作将失败)。quit
true
1
同样,一旦用户名和 已提供密码。
对于 or 操作,将忽略帮助程序的输出。store
erase
如果帮助程序无法执行请求的操作或需要通知 潜在问题的用户,它可能会写信给 stderr。
如果它不支持请求的操作(例如,只读存储 或 generator),它应该静默地忽略该请求。
如果帮助程序收到任何其他操作,它应该静默地忽略 请求。这为将来的操作(较旧的操作)留下了空间 帮助程序将忽略新请求)。
GIT
git[1] 套件的一部分