Hacker News new | ask | show | jobs
by anonymousDan 1345 days ago
But how do you manage them in practice? At least with ssh everything is in one place in my .ssh folder. I suppose I could create a .tokens folder or somesuch.
2 comments
0xbadcafebee 1345 days ago
Git has a lot of options for managing credentials ( https://git-scm.com/book/en/v2/Git-Tools-Credential-Storage https://git-scm.com/docs/gitcredentials https://docs.github.com/en/authentication/keeping-your-accou... ). For MFA: https://github.com/GitCredentialManager/git-credential-manag...

The simplest thing is to create a ~/.netrc file:

  machine foobar.atlassian.net login myuser1@mycompany.com password isudfiusldifuslkjhdflksjhdf
  machine bitbucket.org        login myotheruser           password kjsdoihohuaoivhdifhuvoiadhf
  machine github.com           login companyuser1          password ghp_oisjdofhowuefoiusiofus
  machine github.com           login personaluser2         password ghp_jf9huiehuwfsouyewuhifuh
  machine circleci.com         login myotheruser           password lkjdhiufwhu8ef7yw8yoefhozheofuhouha4lhlWiur
Clone a repository like git clone https://companyuser1@github.com/foo/bar.git and Git will load the right login automatically.
link
sneak 1345 days ago
The idea of having sensitive and important credentials sitting in plaintext in a file in the root of my home directory gives me heebie-jeebies.
link
prepend 1345 days ago
Do you typically grant access to your home directory? The .ssh folder is also in your home.
link
sneak 1345 days ago
On most posix systems everything running as your UID has access to everything in your home directory.

I have no private key material or credentials in my .ssh folder (other than usernames and hostnames). All of my SSH private keys are stored in hardware.

link
jwilk 1343 days ago
Don't put valuable password in .netrc:

https://jwilk.net/blog/20131104-netrc-security

link
anonymousDan 1345 days ago
Interesting, thanks. Can they at least be password protected like ssh private keys? If so is there any equivalent to ssh-agent?
link
0xbadcafebee 1344 days ago
Yes; if you dig into the links I left, Git can use a variety of credential managers to protect them.

Speaking of ssh key passwords: until OpenSSH 7.8 (2018-08-24), private keys using the PEM format were vulnerable to brute-force password cracking. You had to specify the -o option to use the more secure OpenSSH-format keys. Today the -o option is the default (and thus gone), but you might want to rotate your keys if they're from before September 2018.

link
anonymousDan 1344 days ago
Oh, thanks for the heads up I did not know that about PEM keys!
link
GRiMe2D 1345 days ago
Probably ~/.netrc can handle per repository tokens
link