about summary refs log blame commit diff
path: root/Documentation/gitcredentials.txt
blob: adc759612de99a2b86c89e353ff724e5eb25472e (plain) (tree)

































































































































































































                                                                               
gitcredentials(7)
=================

NAME
----
gitcredentials - providing usernames and passwords to Git

SYNOPSIS
--------
------------------
git config credential.https://example.com.username myusername
git config credential.helper "$helper $options"
------------------

DESCRIPTION
-----------

Git will sometimes need credentials from the user in order to perform
operations; for example, it may need to ask for a username and password
in order to access a remote repository over HTTP. This manual describes
the mechanisms Git uses to request these credentials, as well as some
features to avoid inputting these credentials repeatedly.

REQUESTING CREDENTIALS
----------------------

Without any credential helpers defined, Git will try the following
strategies to ask the user for usernames and passwords:

1. If the `GIT_ASKPASS` environment variable is set, the program
   specified by the variable is invoked. A suitable prompt is provided
   to the program on the command line, and the user's input is read
   from its standard output.

2. Otherwise, if the `core.askPass` configuration variable is set, its
   value is used as above.

3. Otherwise, if the `SSH_ASKPASS` environment variable is set, its
   value is used as above.

4. Otherwise, the user is prompted on the terminal.

AVOIDING REPETITION
-------------------

It can be cumbersome to input the same credentials over and over.  Git
provides two methods to reduce this annoyance:

1. Static configuration of usernames for a given authentication context.

2. Credential helpers to cache or store passwords, or to interact with
   a system password wallet or keychain.

The first is simple and appropriate if you do not have secure storage available
for a password. It is generally configured by adding this to your config:

---------------------------------------
[credential "https://example.com"]
	username = me
---------------------------------------

Credential helpers, on the other hand, are external programs from which Git can
request both usernames and passwords; they typically interface with secure
storage provided by the OS or other programs.

To use a helper, you must first select one to use. Git currently
includes the following helpers:

cache::

	Cache credentials in memory for a short period of time. See
	linkgit:git-credential-cache[1] for details.

store::

	Store credentials indefinitely on disk. See
	linkgit:git-credential-store[1] for details.

You may also have third-party helpers installed; search for
`credential-*` in the output of `git help -a`, and consult the
documentation of individual helpers.  Once you have selected a helper,
you can tell Git to use it by putting its name into the
credential.helper variable.

1. Find a helper.
+
-------------------------------------------
$ git help -a | grep credential-
credential-foo
-------------------------------------------

2. Read its description.
+
-------------------------------------------
$ git help credential-foo
-------------------------------------------

3. Tell Git to use it.
+
-------------------------------------------
$ git config --global credential.helper foo
-------------------------------------------


CREDENTIAL CONTEXTS
-------------------

Git considers each credential to have a context defined by a URL. This context
is used to look up context-specific configuration, and is passed to any
helpers, which may use it as an index into secure storage.

For instance, imagine we are accessing `https://example.com/foo.git`. When Git
looks into a config file to see if a section matches this context, it will
consider the two a match if the context is a more-specific subset of the
pattern in the config file. For example, if you have this in your config file:

--------------------------------------
[credential "https://example.com"]
	username = foo
--------------------------------------

then we will match: both protocols are the same, both hosts are the same, and
the "pattern" URL does not care about the path component at all. However, this
context would not match:

--------------------------------------
[credential "https://kernel.org"]
	username = foo
--------------------------------------

because the hostnames differ. Nor would it match `foo.example.com`; Git
compares hostnames exactly, without considering whether two hosts are part of
the same domain. Likewise, a config entry for `http://example.com` would not
match: Git compares the protocols exactly.

If the "pattern" URL does include a path component, then this too must match
exactly: the context `https://example.com/bar/baz.git` will match a config
entry for `https://example.com/bar/baz.git` (in addition to matching the config
entry for `https://example.com`) but will not match a config entry for
`https://example.com/bar`.


CONFIGURATION OPTIONS
---------------------

Options for a credential context can be configured either in
`credential.*` (which applies to all credentials), or
`credential.<url>.*`, where <url> matches the context as described
above.

The following options are available in either location:

helper::

	The name of an external credential helper, and any associated options.
	If the helper name is not an absolute path, then the string `git
	credential-` is prepended. The resulting string is executed by the
	shell (so, for example, setting this to `foo --option=bar` will execute
	`git credential-foo --option=bar` via the shell. See the manual of
	specific helpers for examples of their use.
+
If there are multiple instances of the `credential.helper` configuration
variable, each helper will be tried in turn, and may provide a username,
password, or nothing. Once Git has acquired both a username and a
password, no more helpers will be tried.
+
If `credential.helper` is configured to the empty string, this resets
the helper list to empty (so you may override a helper set by a
lower-priority config file by configuring the empty-string helper,
followed by whatever set of helpers you would like).

username::

	A default username, if one is not provided in the URL.

useHttpPath::

	By default, Git does not consider the "path" component of an http URL
	to be worth matching via external helpers. This means that a credential
	stored for `https://example.com/foo.git` will also be used for
	`https://example.com/bar.git`. If you do want to distinguish these
	cases, set this option to `true`.


CUSTOM HELPERS
--------------

You can write your own custom helpers to interface with any system in
which you keep credentials. See the documentation for Git's
link:technical/api-credentials.html[credentials API] for details.

GIT
---
Part of the linkgit:git[1] suite