On Fri, Apr 06, 2012 at 09:12:39PM -0700, Shawn O. Pearce wrote: > On Fri, Apr 6, 2012 at 20:34, Jeff King <peff@xxxxxxxx> wrote: > > 2. If you use a time-based storage helper like > > "git-credential-cache", every time you run a git > > command which uses the credential, it will also > > re-insert the credential after use, freshening the > > cache timestamp. So the cache will eventually expire N > > time units after the last _use_, not after the time the > > user actually typed the password. This is probably not > > what most users expect or want (and if they do, we > > should do it explicitly by providing an option to > > refresh the timestamp on use). > > So if I use the cache helper, and its set to expire at the default of > 15 minutes, I have to type my password in every 15 minutes, even if I > am doing a Git operation roughly every 8 minutes during a work day? Yes. It's less convenient, but safer and more predictable (you put your password in at 2:30, it's gone at 2:45). Keep in mind that you can also bump the cache time. And like I said, if we do want have it behave the other way, that's OK, but it should be explicit (and it can be optional, even if it defaults to auto-refresh on use). Or you could even do something more complex. gpg-agent will refresh the timestamp on use, but still has a "max ttl" that drops a credential N seconds after it was input, even if it was used recently. But making any decision like that means that the daemon needs to actually know whether the timestamp came from the user, or whether it was simply accessed and regurgitated to us. > This breaks one of my credential helpers. > > I have a helper that generates a password by asking a remote system to > generate a short lived password based on other authentication systems > that I can't describe. Once I have that password, its good for $X > time. > > The helper just dumps it out to Git, and Git turns around and stores > it into the cache for me. This means later requests will keep that > credential in the cache, and avoid making that remote system call > every time I do a Git network command. I considered your use case when writing the patch and thought "no, that's too insane. Nobody would want that." But leave it to you to prove me wrong. :) I'm torn. What you are doing is totally reasonable for your case. At the same time, having it happen without the user's knowledge could have surprising security implications, because you're leaking passwords from one helper to the other (in the example in the commit message, I mentioned a high-security helper followed by "cache". Which is probably not that bad. But imagine if it were "store"). > I guess I now need to change my helper to cache git credential-cache > itself and store the password into the cache if it wants to use the > cache? That's one option, though it is a little bit of a pain to implement (not hard, but not one line of code). It would be very easy to add a "credential.storeHelperCredentials" option that defaulted to off (that name is horrible, but you get the point). > Should we update the credential helper documentation at the same time > as this change to make it clear Git won't cache passwords returned > from helpers, but a helper could call the credential-cache itself if > it wanted to reuse the existing cache service? Yeah, I'll add a documentation update when I re-roll; but we first need to figure out what the recommended course of action is. One thing I don't like about having your helper call credential-cache is that it is a layering violation; it is only guessing that putting the data into credential-cache will be useful in the first place. But that depends on the user's config. It could have be using an alternative caching helper (or none at all). So I think an explicit "it's OK to leak credentials between helpers" flag is our best bet. And it's dirt simple to code. -Peff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html