This article explains how to save HTTPS credentials for pushing commits or in other words, permanently authenticating to git repositories.
Since Git 1.7.9 (released 2012), there is a neat mechanism in Git to avoid having to type your password all the time for HTTP / HTTPS, called credential helpers.
You can just use one of the following credential helpers:
git config --global credential.helper cache
The credential.helper cache value tells Git to keep your password cached in memory for a particular amount of minutes. The default is 15 minutes, you can set a longer timeout with:
git config --global credential.helper "cache --timeout=3600"
Which sets the cache for 1 hour, or:
git config --global credential.helper "cache --timeout=86400"
For 1 day. You can also store your credentials permanently if so desired, see the other answers below.
GitHub’s help also suggests that if you’re on Mac OS X and used Homebrew to install Git, you can use the native Mac OS X keystore with:
git config --global credential.helper osxkeychain
For Windows, there is a helper called Git Credential Manager for Windows or wincred in msysgit.
git config --global credential.helper wincred # obsolete
With Git for Windows 2.7.3+ (March 2016):
git config --global credential.helper manager
For Linux, you would use (in 2011) gnome-keyring(or other keyring implementation such as KWallet).
Nowadays (2020), that would be (on Linux)
Fedora
sudo dnf install git-credential-libsecret
git config --global credential.helper /usr/libexec/git-core/git-credential-libsecret
Ubuntu – Permanently authenticating with git repositories
sudo apt-get install libsecret-1-0 libsecret-1-dev
cd /usr/share/doc/git/contrib/credential/libsecret
sudo make
git config --global credential.helper /usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret
How to store HTTPS credentials for pushing commits in git?
You can have Git store your credentials permanently using git-credential-store as follows:
git config credential.helper store
Note: While this is convenient, Git will store your credentials in clear text in a local file (.git-credentials) under your project directory (see below for the “home” directory). If you don’t like this, delete this file and switch to using the cache option.
If you want Git to resume to asking you for credentials every time it needs to connect to the remote repository, you can run this command:
git config --unset credential.helper
To store the passwords in .git-credentials in your %HOME% directory as opposed to the project directory: use the --global flag
git config --global credential.helper storePermanent authentication for git repositories
As of 2021, there is a secure user-friendly cross-platform solution for HTTPS remotes. No more typing passwords! No more SSH keys! No more personal access tokens!
Install Git Credential Manager developed by GitHub (downloads). It supports passwordless OAuth authentication to GitHub, BitBucket, Azure and GitLab. This means you can enable two-factor authentication on GitHub and the other platforms, greatly improving the security of your accounts.
When you push, you are offered a choice of authentication methods:
> git push
Select an authentication method for 'https://github.com/':
1. Web browser (default)
2. Device code
3. Personal access token
option (enter for default): 1
info: please complete authentication in your browser...
On Linux, a tiny bit of setup is required. The following caches credentials in memory for 20 hours, so you have to authenticate at most once per day.
git-credential-manager-core configure
git config --global credential.credentialStore cache
git config --global credential.cacheoptions=--timeout 72000
Power users familiar with gnome-keyring or KWallet may prefer to change the credential store to libsecret.
Cosmetic configuration: Since I always choose ‘web browser’ at the prompt above, I set a gitHubAuthModes preference to skip the choice. Recent versions of GCM include a GUI that adds an extra click to the authentication flow, I disable that.
git config --global credential.gitHubAuthModes browser
git config --global credential.guiPrompt false
Screenshot of authorizing GCM to access your GitHub account (only seen the first time):
Screenshot of subsequent authentication (seen once per day). No clicks are necessary.
Finally, a link to check applications connected to your GitHub account:
How to cache HTTPS credentials for pushing commits in git?
OR
How to permanently authenticate with git repositories?
TLDR; Use an encrypted netrc file with Git 1.8.3+.
Saving a password for a Git repository HTTPS URL is possible with a ~/.netrc (Unix) or %HOME%/_netrc (note the _) on Windows.
But: That file would store your password in plain text.
Solution: Encrypt that file with GPG (GNU Privacy Guard), and make Git decrypt it each time it needs a password (for push/pull/fetch/clone operation).
Note: with Git 2.18 (Q2 2018), you now can customize the GPG used to decrypt the encrypted .netrc file.
git-credential-netrc: accept gpg option
git-credential-netrc was hardcoded to decrypt with ‘gpg‘ regardless of the gpg.program option.
This is a problem on distributions like Debian that call modern GnuPG something else, like ‘gpg2‘
Step-by-Step instructions for Windows
With Windows:
(Git has a gpg.exe in its distribution, but using a full GPG installation includes a gpg-agent.exe, which will memorize your passphrase associated to your GPG key.)
- Install
gpg4Win Lite, the minimum gnupg command-line interface (take the most recentgpg4win-vanilla-2.X.Y-betaZZ.exe), and complete your PATH with the GPG installation directory:set PATH=%PATH%:C:\path\to\gpg copy C:\path\to\gpg\gpg2.exe C:\path\to\gpg\gpg.exe
(Note the ‘copy‘ command: Git will need a Bash script to execute the command ‘gpg‘. Since gpg4win-vanilla-2 comes with gpg2.exe, you need to duplicate it.)
- Create or import a GPG key, and trust it:
gpgp --import aKey # or gpg --gen-key
(Make sure to put a passphrase to that key.)
- Trust that key
- Install the credential helper script in a directory within your
%PATH%:cd c:\a\fodler\in\your\path curl -o c:\prgs\bin\git-credential-netrc https://raw.githubusercontent.com/git/git/master/contrib/credential/netrc/git-credential-netrc.perl
(Beware: the script is renamed in Git 2.25.x/2.26, see below)
(Yes, this is a Bash script, but it will work on Windows since it will be called by Git.)
- Make a _netrc file in clear text
machine a_server.corp.com login a_login password a_password protocol https machine a_server2.corp.com login a_login2 password a_password2 protocol https
(Don’t forget the ‘protocol‘ part: ‘http‘ or ‘https‘ depending on the URL you will use.)
- Encrypt that file:
gpg -e -r a_recipient _netrc
(You now can delete the _netrc file, keeping only the _netrc.gpg encrypted one.)
- Use that encrypted file:
git config --local credential.helper "netrc -f C:/path/to/_netrc.gpg -v"
(Note the ‘/‘: C:\path\to... wouldn’t work at all.) (You can use at first -v -d to see what is going on.)
From now on, any Git command using an HTTP(S) URL which requires authentication will decrypt that _netrc.gpg file and use the login/password associated to the server you are contacting. The first time, GPG will ask you for the passphrase of your GPG key, to decrypt the file. The other times, the gpg-agent launched automatically by the first GPG call will provide that passphrase for you.
That way, you can memorize several URLs/logins/passwords in one file, and have it stored on your disk encrypted.
I find it more convenient than a “cache” helper”, where you need to remember and type (once per session) a different password for each of your remote services, for said password to be cached in memory.
With Git 2.26 (Q1 2020), the sample credential helper for using .netrc has been updated to work out of the box.
contrib/credential/netrc: make PERL_PATH configurable
Signed-off-by: Denton Liu
The shebang path for the Perl interpreter in git-credential-netrc was hardcoded.
However, some users may have it located at a different location and thus, would have had to manually edit the script.
Add a .perl prefix to the script to denote it as a template and ignore the generated version.
Augment the Makefile so that it generates git-credential-netrc from git-credential-netrc.perl, just like other Perl scripts.
The Makefile recipes were shamelessly stolen from contrib/mw-to-git/Makefile.
And:
With 2.26 (Q1 2020), the Sample credential helper for using .netrc has been updated to work out of the box.
contrib/credential/netrc: work outside a repo
Signed-off-by: Denton Liu
Currently, git-credential-netrc does not work outside of a git repository. It fails with the following error:
fatal: Not a git repository: . at /usr/share/perl5/Git.pm line 214.
There is no real reason why need to be within a repository, though. Credential helpers should be able to work just fine outside the repository as well.
Call the non-self version of config() so that git-credential-netrc no longer needs to be run within a repository.
Jeff King (peff) adds:
I assume you’re using a gpg-encrypted netrc (if not, you should probably just use credential-store).
For “read-only” password access, I find the combination of pass with config like this is a bit nicer:
[credential "https://github.com"]
username = peff
helper = "!f() { test $1 = get && echo password=`pass github/oauth`; }; f"In this article, we learned how to cache HTTPS credentials for pushing commits.
Hope you learned something from this post.
Follow Programming Articles for more!