Re: [PATCH] credential: do not store credentials received from helpers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

On Fri, Apr 06, 2012 at 09:12:39PM -0700, Shawn O. Pearce wrote:

> On Fri, Apr 6, 2012 at 20:34, Jeff King <peff@xxxxxxxx> wrote:
> >  2. If you use a time-based storage helper like
> >     "git-credential-cache", every time you run a git
> >     command which uses the credential, it will also
> >     re-insert the credential after use, freshening the
> >     cache timestamp. So the cache will eventually expire N
> >     time units after the last _use_, not after the time the
> >     user actually typed the password. This is probably not
> >     what most users expect or want (and if they do, we
> >     should do it explicitly by providing an option to
> >     refresh the timestamp on use).
> So if I use the cache helper, and its set to expire at the default of
> 15 minutes, I have to type my password in every 15 minutes, even if I
> am doing a Git operation roughly every 8 minutes during a work day?

Yes. It's less convenient, but safer and more predictable (you put your
password in at 2:30, it's gone at 2:45). Keep in mind that you can also
bump the cache time. And like I said, if we do want have it behave the
other way, that's OK, but it should be explicit (and it can be optional,
even if it defaults to auto-refresh on use).

Or you could even do something more complex. gpg-agent will refresh the
timestamp on use, but still has a "max ttl" that drops a credential N
seconds after it was input, even if it was used recently. But making any
decision like that means that the daemon needs to actually know whether
the timestamp came from the user, or whether it was simply accessed and
regurgitated to us.

> This breaks one of my credential helpers.
> I have a helper that generates a password by asking a remote system to
> generate a short lived password based on other authentication systems
> that I can't describe. Once I have that password, its good for $X
> time.
> The helper just dumps it out to Git, and Git turns around and stores
> it into the cache for me. This means later requests will keep that
> credential in the cache, and avoid making that remote system call
> every time I do a Git network command.

I considered your use case when writing the patch and thought "no,
that's too insane. Nobody would want that." But leave it to you to prove
me wrong. :)

I'm torn. What you are doing is totally reasonable for your case. At the
same time, having it happen without the user's knowledge could have
surprising security implications, because you're leaking passwords from
one helper to the other (in the example in the commit message, I
mentioned a high-security helper followed by "cache". Which is probably
not that bad. But imagine if it were "store").

> I guess I now need to change my helper to cache git credential-cache
> itself and store the password into the cache if it wants to use the
> cache?

That's one option, though it is a little bit of a pain to implement (not
hard, but not one line of code). It would be very easy to add a
"credential.storeHelperCredentials" option that defaulted to off (that
name is horrible, but you get the point).

> Should we update the credential helper documentation at the same time
> as this change to make it clear Git won't cache passwords returned
> from helpers, but a helper could call the credential-cache itself if
> it wanted to reuse the existing cache service?

Yeah, I'll add a documentation update when I re-roll; but we first need
to figure out what the recommended course of action is.

One thing I don't like about having your helper call credential-cache is
that it is a layering violation; it is only guessing that putting the
data into credential-cache will be useful in the first place. But that
depends on the user's config. It could have be using an alternative
caching helper (or none at all).

So I think an explicit "it's OK to leak credentials between helpers"
flag is our best bet. And it's dirt simple to code.

To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at

[Newbies FAQ]     [Linux Kernel Development]     [Free Online Dating]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Free Online Dating]     [Photo]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]     [Linux Resources]

Add to Google