On Tue, 8 Nov 2022 at 22:52, brian m. carlson <sandals@xxxxxxxxxxxxxxxxxxxx> wrote: > > On 2022-11-08 at 10:50:33, M Hickford wrote: > > Among StackOverflow users [1], git-credential-store appears several > > times more popular than any other credential helper. Does this make > > anyone else uneasy? The docs warn that git-credential-store "stores > > your passwords unencrypted on disk" [2]. Are users sacrificing > > security for convenience? > > I definitely think there are better approaches. However, none of the > credential managers for the three major platforms work without a > desktop environment, so if someone's logging in over SSH, then there's > no more secure option that's going to work for them. Taylor did > mention GCM, but I believe it has the same problem, and even if it > didn't, it's written in C#, which isn't portable to many Unices and > isn't viable on servers anyway due to dependencies. On my headless Raspberry Pi, I use OAuth access tokens (generated by GCM) stored in cache with a long timeout. The usability is pretty good -- once per day I do the OAuth device flow [1] entering a code from the Raspberry Pi into a device with a web browser [2]. GCM was indeed awkward to install on Linux arm64. I wrote git-credential-oauth [3][4] in Go to be easier for Linux distros to package. [1] https://www.rfc-editor.org/rfc/rfc8628.html > The OAuth 2.0 device authorization grant is designed for Internet- > connected devices that either lack a browser to perform a user-agent- > based authorization or are input constrained to the extent that > requiring the user to input text in order to authenticate during the > authorization flow is impractical. It enables OAuth clients on such > devices (like smart TVs, media consoles, digital picture frames, and > printers) to obtain user authorization to access protected resources > by using a user agent on a separate device. [2] https://github.com/login/device [3] https://github.com/hickford/git-credential-oauth [4] recent thread on git-credential-oauth https://lore.kernel.org/git/CAGJzqs=+fCQzkDX53H8Mz-DjXicVVgRmmzPjkatSiOpYO7wGGA@xxxxxxxxxxxxxx/T/#u [5] device flow support for git-credential-oauth https://github.com/hickford/git-credential-oauth/pull/9
