Jeff King venit, vidit, dixit 04.10.2011 12:50: > On Tue, Oct 04, 2011 at 12:19:59PM +0200, Michael J Gruber wrote: > >> But Git calls the askpass helper with a command line like >> /usr/bin/ksshaskpass Username for 'bitbucket.org': >> and once again with >> /usr/bin/ksshaskpass Password for 'bitbucket.org': >> So far so good. >> >> But when asked to store the credentials in the KDE wallet, ksshaskpass >> tries (too) hard to guess a good key from that line. And for both >> invocations, it comes up with the same key (the URL), so that when the >> password info is needed, the username info from the wallet is returned. >> Authentication fails. >> Far from good. > > Neat. I didn't know ksshaskpass would do that. I wondered for a minute > if all of the credential helper stuff could have gone through the > askpass interface. But I don't think so. Don't worry ;) > One problem is that the askpass interface only lets us ask for one thing > at a time. So even with your clever hack, it will end up storing two > separate keys: Username@host and Password@host. But it has no idea > they're connected. So if you store "user1 / pass1", then try to push to > "user2@host", we would silently use the password for user1. > > On top of that, there isn't much contextual information. I guess they > assumed the guessing would be used for "ssh". But it means that a stored > ssh password could potentially be used for git, and vice versa. I guess > you could get around that by making the host field longer and more > descriptive (i.e., a full url). I think it's really meant for ssh keys only, where the keyid identifies the key uniquely. Still, ksshaskpass's trying to guess a unique key from the prompt text seems quite hackish to me. But many people will have a Git without credential-helpers, and a KDE default setup, so hope my post helps someone besides myself. Note that git-credentials-askpass would have a fair chance of doing better: credential_askpass() knows the username and could pass it to credential_ask_one(), e.g. by amending the description field, or setting the first field to "Password for user %(user)". Do you think that would be worth deviating from the default behavior (i.e. compared to no helper)? Cheers, Michael -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html