在.git / config中包含googlecode密码是否危险？ [英] Is it dangerous to include your googlecode password in .git/config?

问题描述

因为我的.netrc文件的技巧不起作用（即使它具有正确的文件权限），我修改了我的本地.git / config，像这样：

  [remoteorigin] 
 fetch = + refs / heads / *：refs / remotes / origin / * $ b $ url url = https< username> ;：<密码> @ code.google.com / p /< project> / 
  

我立即克隆回购，以检查密码是否仍然包括在内，而不是。

我还有一个镜像托管在github上，如果它很重要

那么它有什么危险吗？ 解决方案

那么它有什么危险吗？

.git中的文件目录严格是您本地存储库的一部分;他们不会被推送到您的远程存储库。因此，您不必在网络上发布您的密码。

另一方面，任何需要您缓存密码的系统您的本地文件系统意味着有权访问您的文件系统的人可能会恢复您的密码。不幸的是，由于Google不支持通过ssh访问存储库，因此您可以做的事情不多（您可以决定独家使用Github，这可以让您进行公钥/私钥身份验证，这是安全性的重要一步）。

关于使用 .netrc 文件，Google Git FAQ说：

我将凭证放在.netrc中，为什么git仍要求我输入密码？

如果您在URL中有用户名，C git客户端总是要求输入密码。检查您的
命令行和.git / config文件，并确保您的code.google.com网址不包含您的用户名（最多@部分）的
。

Because the trick with my .netrc file doesn't work (even though it has correct filepermissions), I modified my local .git/config to like like so:

[remote "origin"]
    fetch = +refs/heads/*:refs/remotes/origin/*
    url = https://<username>:<password>@code.google.com/p/<project>/

I immediately cloned the repo to check if the password would be still included, and it isn't.

I also have a mirror hosted at github, if it matters at all.

So is it in any way dangerous?

解决方案

So is it in any way dangerous?

Files in your .git directory are strictly part of your local repository; they don't get pushed to your remote repositories. So you're safe in the sense that you're not publishing your password on the network.

On the other hand, any system that requires you to cache your password on your local filesystem means that someone with access to your filesystem can potentially recover your password. Unfortunately, since Google doesn't support repository access over ssh, there's not much you can do about this (well, you can decide to use Github exclusively, which gets you public/private key authentication which is a substantial step up in security).

Regarding the use of the .netrc file, the Google Git FAQ says:

I put my credentials in .netrc, so why does git still ask me for a password?

The C git client always asks for a password if you have a username in the URL. Check your command line and .git/config file and make sure that your code.google.com URLs do not include your username (the part up to the @).

这篇关于在.git / config中包含googlecode密码是否危险？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！