avatarTeri Radichel

Summary

The content discusses methods for securely handling git credentials in automated scripts to enhance cybersecurity.

Abstract

The article delves into the importance of protecting git credentials when used in automated scripts, emphasizing the risks associated with storing credentials on disk or in memory for extended periods. The author, Teri Radichel, explores the use of git credential.helper cache options to temporarily store passwords in memory with a configurable timeout, ensuring credentials are forgotten after use or system restart. The post includes a detailed examination of the git credential helper cache command, its implementation, and potential pitfalls, along with a script example to automate repository cloning securely. Radichel also touches upon the use of global configurations, the absence of credentials on disk post-implementation, and the integration with GitHub CLI and Secrets Managers for enhanced security. The article is part of a series on automating cybersecurity metrics and provides insights into Teri's personal experiences and best practices in application security and AWS environments.

Opinions

  • The author prefers not to store credentials at all if possible, entering usernames and passwords manually for git commands.
  • There is a concern about the permanence of data deletion, as simply deleting data may not truly remove it from a system.
  • The author is curious and hands-on, willing to experiment with commands and scripts to find the best security practices.
  • There is a preference for solutions that do not write credentials to disk, as evidenced by the author's exploration of in-memory caching with git.
  • The author values efficiency and security in their work environment and continuously seeks improvements, as demonstrated by the practical application of the discussed techniques in their penetration testing work.
  • Radichel suggests that the GitHub CLI could be enhanced to better handle credential caching and clearing, indicating a desire for improved tooling.
  • The author acknowledges the potential of Secrets Managers like AWS Secrets Manager but also emphasizes the importance of proper encryption and access control.
  • There is an interest in incorporating Multi-Factor Authentication (MFA) into the git clone process, which is currently not supported with access tokens.
  • The article reflects the author's expertise and proactive approach to cybersecurity, with a call to action for readers to follow for updates and engage with the author's consulting services and educational content.

Protecting git Credentials Used in Automated Scripts

Prevent writing git credentials to disk and limit the time stored in memory with git credential.helper cache options

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Part of my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: GitHub Security | Application Security | Secure Code | Ubuntu on AWS

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Related to my posts on application security. I am testing this code on Ubuntu but I presume it will work on any OS.

Free Content on Jobs in Cybersecurity | Sign up for the Email List

I try to avoid storing credentials for any length of time on a system if I can help it. I typically enter user names and passwords to run git commands and don’t store them at all.

Why do I bother with all that? I explained how data you think you may have delete is not truly deleted sometimes here:

Caching credentials in environment variables or even leaving them hanging around in memory can lead to potential compromise. If you can use the credentials during a particular process and immediately remove all trace of the credentials that is best.

However, I was recently revisiting this issue because when you’re cloning a whole bunch of repos at once, this gets old. How can I enter the user name and token once for all repos, and yet avoid having them hang around on disk or in memory afterwards.

This led me to the git credential helper cache information.

git config credential.helper 'cache --timeout=<timeout>'

This sounds great:

This command caches credentials for use by future Git programs. The stored credentials are kept in memory of the cache-daemon process (instead of written to a file) and are forgotten after a configurable timeout. Credentials are forgotten sooner if the cache-daemon dies, for example if the system restarts. The cache is accessible over a Unix domain socket, restricted to the current user by filesystem permissions.

This line is curious…

You probably don’t want to invoke this command directly; it is meant to be used as a credential helper by other parts of Git.

Why? Not sure. I’m going to try using it and see what happens. Because I’m just like that. :-)

This is also helpful — if you want to force the cache to clear:

git credential-cache exit

Here’s the sample code:

$ git config credential.helper cache
$ git push http://example.com/repo.git
Username: <type your username>
Password: <type your password>

[work for 5 more minutes]
$ git push http://example.com/repo.git
[your credentials are used automatically]

Or if you want to set the timeout to an hour:

git config credential.helper 'cache --timeout=3600'

Testing the commands

Well, I can create a script like this to set the credentials, use them, and then exit the cache when the script completes.

That’s fine and dandy. However when I ran it, the script failed.

usage: git config [<options>]

The reason it failed initially was that I forgot to put the single quotes around my options — like this (note the correct version with quotes above).

git config credential.helper cache --timeout=3600

After completing that step, I ran the command and I got this error:

fatal: not in a git directory

What I noticed was that if I ran the git config command without the cache option it ran without errors. I am not sure if it actually did anything.

My problem here is that I want to and set the cache login prior to cloning a git directory. So I’ll never be in a git directory in that scenario. The directory doesn’t exist until after I run the command that apparently requires the directory if I add the cache options.

I’ve got a dilemma now. However, perhaps I just wasn’t running the command correctly.

I figured out that it works when I specify a file location. But the thing is — I don’t want the file. That’s kind of the whole point of what I’m doing. Perhaps the description of “file location” below is kind of a misnomer? Or I guess you could have files in memory? Anyway.

You can read more about he above options here:

So are the credentials written to disk with the global option\?

Let’s find out.

I noticed that when I added this option a git config file appeared:

git config --global credential.helper cache

Let’s add the timeout and see what happens. The config file is updated:

This looks good. We’ll continue testing this with my script but first…

~~~

Side note: that the fact that 'git config --glob' appears after my prompt and before the command I’m running in the screen shot above (I did not type that there) is due to some kind of bug on AWS EC2 instances.

I reported this in my Bugs That Bite blog.

The fact that this same bug appears in Ubuntu as well as AWS Linux seems to indicate it might be something other than the OS in the AWS environment that causes the problem. I do not have the same problem in a shell on a Mac — but it’s also a different shell (zsh not bash.) So maybe it’s a bash issue. IDK.

🤷🏼‍♀️

~~~

Back to my script.

I created a script to loop through a series of git repository names. This presumes

#!/bin/bash -e

#replace the following with the path where you want to clone the repos
gitdir='/path/to/clone/dir'
if [ ! -d "$gitdir" ]; then
  c="mkdir $gitdir"
  ($c)
fi

#replace with the owner of the repo
#in my case https://github.com/tradichel, the owner is tradichel
owner='your-repo-owner-name'

#replace the repos below with your repo names
#for this example: https://github.com/tradichel/SecurityMetricsAutomation
#the repo name is SecurityMetricsAutomation
declare -a repos=('repo1' 'repo2' 'repo3')

function sync(){
  repo=$1
  cd $gitdir
  git clone https://github.com/$owner/$repo.git
  cd $repo
  git remote set-url origin https://github.com/$owner/$repo.git
}

git config --global credential.helper 'cache --timeout 120'

for repo in "${repos[@]}"
do
   echo "clone repo $repo"
   sync $repo
done

#clear the credentials from cache
git credential-cache exit

#clear anything in bash history
history -c

I ran my script with the correct credentials and I was only prompted for the credentials once. Prior to this change I would be prompted for the credentials for every single repository.

I then searched for the credentials being stored to disk. I didn’t find them. I did not search through memory like I did in my prior post. I’ll leave that as an exercise to the reader for the moment as I have to complete a penetration test. All these things I’m writing about have an immediate purpose as I’m continuously improving the efficiency and security of my work environment.

About the Github CLI

I don’t see a way to do this with the GitHub CLI. There’s a cache option, but it is related to caching API requests.

#githubwishlist

It looks like the CLI does use Credential Manager:

I wonder what would happen if you configure credential manager with caching and then run the command to clear the credential manager cache afterwards. That might work. A test for another day.

Secrets Managers

By the way, I could also pull the secrets from AWS Secrets Manager or similar potentially, but then you have to make sure that is encrypted and locked down so only the appropriate users or processes can access it. And unfortunately, at the time of this writing, there is no way to incorporate MFA into the git clone process with an access token, but you could use AWS IAM to enforce MFA to retrieve the secret using methods I’ve demonstrated in prior posts:

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Git
Credentials
Helper
Cache
Memory
Recommended from ReadMedium
avatarJoel Wembo
Technical Guide: End-to-End CI/CD DevOps with Jenkins, Docker, Kubernetes, ArgoCD, Github Actions …

Building an end-to-end CI/CD pipeline for Django applications using Jenkins, Docker, Kubernetes, ArgoCD, AWS EKS, AWS EC2

54 min read
avatarJan Kammerath
Linus Torvalds’ Critique of C++: A Comprehensive Review

Linus Torvalds, the inventor (and beloved dictator) of Linux, has always been quite harsh about C++ and why he rejects it for Linux kernel…

11 min read
avatarYunus Emre Adas
4 Thing You Need to Know About Git and GitHub

How to use Github like a pro?

5 min read
avatarOliver Foster
What’s the Difference Between localhost and 127.0.0.1?

My article is open to everyone; non-member readers can click this link to read the full text.

8 min read
avatarHossam Ehab
PowerShell Exploits — Modern APTs and Their Malicious Scripting Tactics

Hi in this blog we’ll start with an introduction to PowerShell, explaining why it’s a favorite tool for red teamers. From there, we’ll…

22 min read
avatarZudonu Osomudeya
Master SSH: Advanced Secure Shell Techniques with Real-World Examples

SSH Simplified: Linux

4 min read