0

I'm in a project that I must use in git only https. For security restriction, I am not allowed to use ssh keys.

On my developing machine, I used successfully libsecred following this method:

sudo apt-get install libsecret-1-0 libsecret-1-dev
cd /usr/share/doc/git/contrib/credential/libsecret
sudo make
git config --global credential.helper usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret

Every time I was entering from my nodejs app, a new username / password pair, libsecred registers them for the next time.

All works fine until I started to deploy on a VM using Ubuntu server 20.04. Now, when I enter git credentials, I get the following error message:

lookup failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.secrets was not provided by any .service files

The installation was fine, the libsecred process is running, but the keyring files are missing. It seems there is no connection with git, even thought the libsecred is listed as helper in gitconfig file.

Can any help me to use a proper secure solution?

asked Jan 10, 2022 at 13:52
4
  • You misunderstood what libsecret does. It doesn't store passwords in git securely. This helper stores your git password. Commented Jan 10, 2022 at 13:59
  • "For security restriction, I am not allowed to use ssh keys." - that's strange. From what I understand, ssh key auth is not any less secure than username/password auth. Commented Jan 10, 2022 at 14:01
  • 1
    In fact, ssh is more secure. So the "security restriction" is actually an insecurity restriction. They are forcing you to be more insecure. Commented Jan 10, 2022 at 14:06
  • 1
    Depending on where your central repository is, you might be able to manage SSH keys. For instance, in Azure DevOps, you can create a Personal Access Token that expires after a certain amount of time. Other services might allow you to do the same with SSH keys. This gives you a "kill switch" in case a key gets compromised. Commented Jan 10, 2022 at 14:26

1 Answer 1

1

The libsecret helper generally requires a desktop environment to provide the secret service, and on systems where there is no desktop environment running, there will be no secret service available. As a result, you'll need to use a different credential helper, such as store, if you want to use HTTPS.

However, note that store puts the data on disk unencrypted, so it is not very secure. Using an SSH key is much more secure, because you can forward your agent over to the remote system and perform Git operations, but not leave any credentials on the remote system. You should contact your network administrator and inquire about why this restriction is in place and ask if it can be removed. Note that if it is because you use a TLS MITM proxy, note that the Git developers (and the TLS working group) recommend against that for security and functionality reasons.

If you want a secure approach and cannot use SSH, then you'll have to store the token in a local password manager, such as 1Password, and copy and paste it into the terminal prompt each time.

answered Jan 10, 2022 at 22:15
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.