Git Credential Management | Learn The Shell

Introduction

Git is the backbone of modern software development, helping developers manage and collaborate on code. When working with remote repositories, such as GitHub or GitLab, secure credential management becomes essential. Without proper management, you could find yourself constantly entering your username and password, which slows down your workflow and increases the risk of security issues.

This article covers Git credential management, exploring how to store and manage your credentials in various environments. You’ll find strategies suitable for both beginner and advanced developers, complete with practical examples for HTTPS and SSH authentication.

Open Table of contents

What Is Git Credential Management?
- Why Is Credential Management Important?
Methods for Managing Git Credentials
Advanced Credential Management
- 1. Handling Multiple Accounts with SSH
  - Example: SSH Config for Multiple Accounts
- 2. Git Credential Manager for OAuth
Best Practices for Git Credential Management
Conclusion

What Is Git Credential Management?

Git credential management refers to the process of storing and reusing credentials like usernames, passwords, or tokens. This eliminates the need to input your credentials repeatedly during Git operations. Proper management ensures both security and convenience when working with repositories.

Why Is Credential Management Important?

Security: Safeguard sensitive information such as authentication tokens or passwords.
Convenience: Automate the credential process, avoiding repetitive entry of credentials.
Efficiency: Streamline your development workflow, freeing up time to focus on coding.

Let’s explore the various methods Git provides for managing credentials.

Methods for Managing Git Credentials

1. HTTPS Authentication

When using HTTPS for remote repository access, Git prompts you for a username and password or a token with each push or pull. This can be cumbersome, especially during long-term development. Yet, Git provides a few tools to avoid repetitive credential entry.

Git Credential Helpers

Credential helpers store and reuse your credentials automatically. Git offers several types of helpers:

Git Credential Cache

This stores credentials in memory for a limited time (15 minutes by default). It’s ideal when you need temporary credential storage without persistence across reboots.

To enable the credential cache:

git config --global credential.helper cache

To change the cache timeout (in seconds), run:

git config --global credential.helper 'cache --timeout=3600'

This configures the cache to store your credentials for one hour.

Git Credential Store

The credential store saves credentials in plain text on disk, making them persist across sessions and reboots. While this is convenient, it’s less secure, as your credentials are stored unencrypted.

Enable the credential store with:

git config --global credential.helper store

The credentials are saved in ~/.git-credentials on Linux/macOS or %USERPROFILE%\.git-credentials on Windows.

Git Credential Manager (GCM)

Git Credential Manager is a secure tool that integrates with platform-specific credential stores, such as macOS Keychain, Windows Credential Manager, and Linux keyring. It also supports OAuth and Personal Access Tokens (PATs), making it the most secure option.

GCM comes pre-installed with Git for Windows, and for macOS, you can install it with Homebrew:

brew tap microsoft/git
brew install --cask git-credential-manager-core

Enable it globally with:

git config --global credential.helper manager-core

GCM is recommended for services like GitHub and GitLab, as it offers modern authentication flows and secure credential storage.

Example: HTTPS Authentication with Personal Access Token (PAT)

Many platforms, such as GitHub, now require Personal Access Tokens (PATs) for HTTPS authentication.

Generate a PAT from your GitHub account under Settings > Developer Settings > Personal Access Tokens.

Clone a repository using HTTPS:

git clone https://github.com/username/repo.git

When prompted, enter your PAT in place of a password.

Username: <your_username>
Password: <your_token>

To avoid re-entering this information, configure Git to store the PAT using a credential helper such as manager-core, store, or cache.

2. SSH Authentication

SSH is a more secure and streamlined method for Git authentication. It uses a key-based authentication process that doesn’t need a password or token for each operation, making it a preferred option for long-term projects.

Generating an SSH Key

If you don’t already have an SSH key, generate one with:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Save it in the default location (~/.ssh/id_rsa).

Adding Your SSH Key to the Agent

To ensure your SSH key is available during your session, add it to the SSH agent:

ssh-add ~/.ssh/id_rsa

Adding Your SSH Key to GitHub or GitLab

Copy your public key to the clipboard:

cat ~/.ssh/id_rsa.pub

Then, go to your Git service (e.g., GitHub) and paste the public key in Settings > SSH and GPG keys. This allows GitHub to associate your key with your account.

Using SSH for Git Operations

Once configured, clone repositories using SSH:

git clone git@github.com:username/repo.git

SSH eliminates the need to enter credentials, making it a secure and convenient method for Git operations.

Advanced Credential Management

1. Handling Multiple Accounts with SSH

When working with many Git hosting services or accounts (such as GitHub and GitLab), it’s useful to set up different SSH keys for each. You can do this by creating a configuration file for the SSH client.

Example: SSH Config for Multiple Accounts

Open or create the SSH config file:
```
nano ~/.ssh/config
```

Add configurations for each account:

Host github.com
    HostName github.com
    User git
    IdentityFile ~/.ssh/id_rsa_github

Host gitlab.com
    HostName gitlab.com
    User git
    IdentityFile ~/.ssh/id_rsa_gitlab

This setup ensures Git automatically uses the appropriate SSH key for each host.

2. Git Credential Manager for OAuth

For Git hosting services that support OAuth, such as GitHub, GitLab, and Azure DevOps, Git Credential Manager (GCM) simplifies the authentication process. GCM securely stores tokens and handles OAuth flows, allowing you to authenticate without manually managing tokens or keys.

When you initiate a Git operation that requires authentication, GCM triggers the OAuth process, storing the token for future use.

Best Practices for Git Credential Management

Use SSH for Secure and Efficient Authentication: SSH is ideal for long-term projects and eliminates the need to repeatedly enter credentials.
Use Personal Access Tokens (PATs) for HTTPS operations: If you use HTTPS, PATs provide more security than passwords and are required by most modern Git services.
Leverage Git Credential Manager: GCM offers the most secure and convenient solution, supporting OAuth and system-level credential storage.
Rotate Credentials Regularly: Whether using PATs or SSH keys, rotating credentials periodically ensures better security.
Securely Store Credentials: Avoid using plain-text storage unless necessary. Credential helpers like GCM or system-level tools provide better protection.

Conclusion

Managing Git credentials is essential for a smooth and secure development workflow. By using tools like SSH keys, Personal Access Tokens (PATs), and Git Credential Manager (GCM), you can automate authentication and enhance security without the hassle of repeatedly entering credentials. As your projects grow, these tools ensure your workflow stays streamlined and protected, making it easier to collaborate and manage code across remote repositories.