|
| 1 | +git-credential(1) |
| 2 | +================= |
| 3 | + |
| 4 | +NAME |
| 5 | +---- |
| 6 | +git-credential - retrieve and store user credentials |
| 7 | + |
| 8 | +SYNOPSIS |
| 9 | +-------- |
| 10 | +------------------ |
| 11 | +git credential <fill|approve|reject> |
| 12 | +------------------ |
| 13 | + |
| 14 | +DESCRIPTION |
| 15 | +----------- |
| 16 | + |
| 17 | +Git has an internal interface for storing and retrieving credentials |
| 18 | +from system-specific helpers, as well as prompting the user for |
| 19 | +usernames and passwords. The git-credential command exposes this |
| 20 | +interface to scripts which may want to retrieve, store, or prompt for |
| 21 | +credentials in the same manner as git. The design of this scriptable |
| 22 | +interface models the internal C API; see |
| 23 | +link:technical/api-credentials.txt[the git credential API] for more |
| 24 | +background on the concepts. |
| 25 | + |
| 26 | +git-credential takes an "action" option on the command-line (one of |
| 27 | +`fill`, `approve`, or `reject`) and reads a credential description |
| 28 | +on stdin (see <<IOFMT,INPUT/OUTPUT FORMAT>>). |
| 29 | + |
| 30 | +If the action is `fill`, git-credential will attempt to add "username" |
| 31 | +and "password" attributes to the description by reading config files, |
| 32 | +by contacting any configured credential helpers, or by prompting the |
| 33 | +user. The username and password attributes of the credential |
| 34 | +description are then printed to stdout together with the attributes |
| 35 | +already provided. |
| 36 | + |
| 37 | +If the action is `approve`, git-credential will send the description |
| 38 | +to any configured credential helpers, which may store the credential |
| 39 | +for later use. |
| 40 | + |
| 41 | +If the action is `reject`, git-credential will send the description to |
| 42 | +any configured credential helpers, which may erase any stored |
| 43 | +credential matching the description. |
| 44 | + |
| 45 | +If the action is `approve` or `reject`, no output should be emitted. |
| 46 | + |
| 47 | +TYPICAL USE OF GIT CREDENTIAL |
| 48 | +----------------------------- |
| 49 | + |
| 50 | +An application using git-credential will typically use `git |
| 51 | +credential` following these steps: |
| 52 | + |
| 53 | + 1. Generate a credential description based on the context. |
| 54 | ++ |
| 55 | +For example, if we want a password for |
| 56 | +`https://example.com/foo.git`, we might generate the following |
| 57 | +credential description (don't forget the blank line at the end; it |
| 58 | +tells `git credential` that the application finished feeding all the |
| 59 | +infomation it has): |
| 60 | + |
| 61 | + protocol=https |
| 62 | + host=example.com |
| 63 | + path=foo.git |
| 64 | + |
| 65 | + 2. Ask git-credential to give us a username and password for this |
| 66 | + description. This is done by running `git credential fill`, |
| 67 | + feeding the description from step (1) to its standard input. The |
| 68 | + credential will be produced on standard output, like: |
| 69 | + |
| 70 | + username=bob |
| 71 | + password=secr3t |
| 72 | ++ |
| 73 | +If the `git credential` knew about the password, this step may |
| 74 | +not have involved the user actually typing this password (the |
| 75 | +user may have typed a password to unlock the keychain instead, |
| 76 | +or no user interaction was done if the keychain was already |
| 77 | +unlocked) before it returned `password=secr3t`. |
| 78 | + |
| 79 | + 3. Use the credential (e.g., access the URL with the username and |
| 80 | + password from step (2)), and see if it's accepted. |
| 81 | + |
| 82 | + 4. Report on the success or failure of the password. If the |
| 83 | + credential allowed the operation to complete successfully, then |
| 84 | + it can be marked with an "approve" action to tell `git |
| 85 | + credential` to reuse it in its next invocation. If the credential |
| 86 | + was rejected during the operation, use the "reject" action so |
| 87 | + that `git credential` will ask for a new password in its next |
| 88 | + invocation. In either case, `git credential` should be fed with |
| 89 | + the credential description obtained from step (2) together with |
| 90 | + the ones already provided in step (1). |
| 91 | + |
| 92 | +[[IOFMT]] |
| 93 | +INPUT/OUTPUT FORMAT |
| 94 | +------------------- |
| 95 | + |
| 96 | +`git credential` reads and/or writes (depending on the action used) |
| 97 | +credential information in its standard input/output. These information |
| 98 | +can correspond either to keys for which `git credential` will obtain |
| 99 | +the login/password information (e.g. host, protocol, path), or to the |
| 100 | +actual credential data to be obtained (login/password). |
| 101 | + |
| 102 | +The credential is split into a set of named attributes. |
| 103 | +Attributes are provided to the helper, one per line. Each attribute is |
| 104 | +specified by a key-value pair, separated by an `=` (equals) sign, |
| 105 | +followed by a newline. The key may contain any bytes except `=`, |
| 106 | +newline, or NUL. The value may contain any bytes except newline or NUL. |
| 107 | +In both cases, all bytes are treated as-is (i.e., there is no quoting, |
| 108 | +and one cannot transmit a value with newline or NUL in it). The list of |
| 109 | +attributes is terminated by a blank line or end-of-file. |
| 110 | +Git will send the following attributes (but may not send all of |
| 111 | +them for a given credential; for example, a `host` attribute makes no |
| 112 | +sense when dealing with a non-network protocol): |
| 113 | + |
| 114 | +`protocol`:: |
| 115 | + |
| 116 | + The protocol over which the credential will be used (e.g., |
| 117 | + `https`). |
| 118 | + |
| 119 | +`host`:: |
| 120 | + |
| 121 | + The remote hostname for a network credential. |
| 122 | + |
| 123 | +`path`:: |
| 124 | + |
| 125 | + The path with which the credential will be used. E.g., for |
| 126 | + accessing a remote https repository, this will be the |
| 127 | + repository's path on the server. |
| 128 | + |
| 129 | +`username`:: |
| 130 | + |
| 131 | + The credential's username, if we already have one (e.g., from a |
| 132 | + URL, from the user, or from a previously run helper). |
| 133 | + |
| 134 | +`password`:: |
| 135 | + |
| 136 | + The credential's password, if we are asking it to be stored. |
0 commit comments