Possible security issue? #525
-
|
Hi, I am experiencing an issue that running git fetch runs 20 seconds each time on Windows. So I traced it and boiled down to the git credential manage core GET command.
|
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
You are running the commands that Git uses to get your credentials, so this is working by design. Whatever credentials you use are stored in a secure location, but processes running under your user permissions can access that information as needed. If you don't want your password stored, then don't use username/password auth (and instead use something like a PAT). This is one reason why GitHub removed password authentication. |
Beta Was this translation helpful? Give feedback.
-
|
I understand, just, thinking that maybe that shouldn't be so easily accessible... Unfortunately, I didn't set this, this was set by the Client - had no impact on that. I tried for my sake to switch to cache version (credential helper cache), but it just gets ignored, and still uses the git credential manager core that they set. But if I override it with empty string instead of "cache" then it ignores the GCMCore and prompts for username and password. Any thoughts on why is that? |
Beta Was this translation helpful? Give feedback.
-
|
I was having a similar issue, yet just confirmed it was a configuration issue on my end.
I have several repositories, private under one company, private under another, and some public. The 1st and 2cnd company’s repositories used different account information (with MFA for each). In the two company’s there were a mixture of traditional C/IDE tools, and Matlab- with all the tools using Personal Access Tokens to enabler the MFA transaction.
Accidentally, cloned the 1st company’s Matlab respository using the 2cnd company’s account info (all while in Matlab, using GCM configured on macOS). Sadly - no err reported from GCM. Then I proceeded to add my files into the repository local/cloned directory - which cause the files were autonomous and not interfacing with others portions with the repository I still was productive. Then I tried to commit/push the changes - which did report an error, :), and all was still operating wonderfully.
I then went into the ‘git config’ for the failing repository to determine what was at issue. Not wanting to run through a bunch of unique commands at the command line, I switched to GitHub’s app. I fixed the login credentials, using the Repository | Settings | Git Config .. feature, and then was able to push the changes up to the repository…. Which both fixed the repositories account info, and confirmed GCM /Matlab was operating wonderfully for company 1.
I then quickly switched back to company 2, made a quick text file change, and again with Matlab/GCM - all functioned wonderful.
Luka, perhaps you’re using the global git config, and not the per repository config?
Sam
… On Nov 12, 2021, at 4:34 AM, Luka Gospodnetic ***@***.***> wrote:
I understand, just, thinking that maybe that shouldn't be so easily accessible... Unfortunately, I didn't set this, this was set by the Client - had no impact on that.
I tried for my sake to switch to cache version (credential helper cache), but it just gets ignored, and still uses the git credential manager core that they set. But if I override it with empty string instead of "cache" then it ignores the GCMCore and prompts for username and password. Any thoughts on why is that?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub <#525 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AI5OYSQNHPWFV5LANWEA2DTULUCU7ANCNFSM5H3RH7RQ>.
Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
Beta Was this translation helpful? Give feedback.
You are running the commands that Git uses to get your credentials, so this is working by design. Whatever credentials you use are stored in a secure location, but processes running under your user permissions can access that information as needed.
If you don't want your password stored, then don't use username/password auth (and instead use something like a PAT). This is one reason why GitHub removed password authentication.