I'm in a project that I must use in git only https. For security restriction, I am not allowed to use ssh keys.
On my developing machine, I used successfully libsecred following this method:
sudo apt-get install libsecret-1-0 libsecret-1-dev
cd /usr/share/doc/git/contrib/credential/libsecret
sudo make
git config --global credential.helper usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret
Every time I was entering from my nodejs app, a new username / password pair, libsecred registers them for the next time.
All works fine until I started to deploy on a VM using Ubuntu server 20.04. Now, when I enter git credentials, I get the following error message:
lookup failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.secrets was not provided by any .service files
The installation was fine, the libsecred process is running, but the keyring files are missing. It seems there is no connection with git, even thought the libsecred is listed as helper in gitconfig file.
Can any help me to use a proper secure solution?
-
You misunderstood what libsecret does. It doesn't store passwords in git securely. This helper stores your git password.Sergio Tulentsev– Sergio Tulentsev2022年01月10日 13:59:28 +00:00Commented Jan 10, 2022 at 13:59
-
-
"For security restriction, I am not allowed to use ssh keys." - that's strange. From what I understand, ssh key auth is not any less secure than username/password auth.Sergio Tulentsev– Sergio Tulentsev2022年01月10日 14:01:23 +00:00Commented Jan 10, 2022 at 14:01
-
1In fact, ssh is more secure. So the "security restriction" is actually an insecurity restriction. They are forcing you to be more insecure.matt– matt2022年01月10日 14:06:29 +00:00Commented Jan 10, 2022 at 14:06
-
1Depending on where your central repository is, you might be able to manage SSH keys. For instance, in Azure DevOps, you can create a Personal Access Token that expires after a certain amount of time. Other services might allow you to do the same with SSH keys. This gives you a "kill switch" in case a key gets compromised.Greg Burghardt– Greg Burghardt2022年01月10日 14:26:50 +00:00Commented Jan 10, 2022 at 14:26
1 Answer 1
The libsecret helper generally requires a desktop environment to provide the secret service, and on systems where there is no desktop environment running, there will be no secret service available. As a result, you'll need to use a different credential helper, such as store, if you want to use HTTPS.
However, note that store puts the data on disk unencrypted, so it is not very secure. Using an SSH key is much more secure, because you can forward your agent over to the remote system and perform Git operations, but not leave any credentials on the remote system. You should contact your network administrator and inquire about why this restriction is in place and ask if it can be removed. Note that if it is because you use a TLS MITM proxy, note that the Git developers (and the TLS working group) recommend against that for security and functionality reasons.
If you want a secure approach and cannot use SSH, then you'll have to store the token in a local password manager, such as 1Password, and copy and paste it into the terminal prompt each time.