How to Store Multiple Pats/Passwords for Use by Git

How to store multiple PATs/passwords for use by git?

Any credential helper should follow the same process.

But if you have multiple account/password for the same domain (say github.com for instance), then you need to change your remote URL

 cd /path/to/my/local/repo1
 git remote set-url origin https://user1@github.com/user1/myRepo1
                                   ^^^^^^

 cd /path/to/my/local/repo2
 git remote set-url origin https://user2@github.com/user1/myRepo2
                                   ^^^^^^

That way, the credential helper will differentiate your different account.

Since gcm core is a bit fineky to install, test it first with the classic libsecret-based helper.

How can I save username and password in Git?

Attention: This method saves the credentials in plaintext on your PC's disk. Everyone on your computer can access it, e.g. malicious NPM modules.

Run

git config --global credential.helper store

then

git pull

provide a username and password and those details will then be remembered later. The credentials are stored in a file on the disk, with the disk permissions of "just user readable/writable" but still in plaintext.

If you want to change the password later

git pull

Will fail, because the password is incorrect, git then removes the offending user+password from the ~/.git-credentials file, so now re-run

git pull

to provide a new password so it works as earlier.

Using multiple git personal access tokens (PAT) with Credential Manager

There are a couple different approaches you can take here. One is to create a single token with the gist and repo scopes and use that generally. That token does have access to all your repositories, but if you're using a credential helper, then it's stored in an encrypted way and it shouldn't be too risky.

Since you're actually using two different domains here (github.com and gist.github.com), you can use separate tokens without a problem. Tokens are stored scoped on the domain, so there's no conflict here. Just use each credential on its respective domain.

If you want to use different tokens for different repositories, you can do that by setting credential.usehttppath to true. That can also be scoped to a particular URL pattern (including wildcards) such that you it only applies to GitHub (e.g., with git config --global credential.https://github.com/.usehttppath true). Each repository will then have its own set of credentials, and you can store as many tokens as you like. If you have a lot of repositories, this will likely become inconvenient quickly, though.

Finally, if you just want to have different tokens for public and private access, you can do this for GitHub by taking advantage of the fact that GitHub ignores the username when you use a token. You can therefore clone public repositories by putting a public@ before the hostname (e.g., https://public@github.com/git/git.git) and then using private@ for private repositories. Git's credential helpers will store separate credentials for these fake usernames and the respective token will be used.

Where to store my Git personal access token?

Half the point of passwords is that (ideally) you memorize them and the system hashes them, so therefore they're never stored anywhere in plain text.

Yet GitHub's personal access token system seems to basically force you to store the token in plain text?

First, a PAT (Personal Access Token) is not a simple password, but an equivalent that:

• you can generate multiple time (for instance, one per machine from which you need to access GitHub repository)
• you can revoke at any time (from the GitHub web interface), which makes that PAT obsolete, even if it lingers around on one of those machines.

That differs from your password, which is unique to your account, and cannot be easily changed without having to also modify it everywhere you happen to use it.

---

Since a PAT can be used in place of a password when performing Git operations over HTTPS with Git on the command line or the API, you can use a git credential helper to cache it securely.

On Windows, for instance, that would use the Windows Credential Manager, through the GCM -- Git Credential Manager -- for Windows, Mac or Linux:

git config --global credential.helper manager-core

The first time you are pushing to a repo, a popup will ask for your credentials: username and your PAT.

The next time, it won't ask, and reuse directly that PAT, which remains stored securely in your Credential Manager.

A similar idea applies for Mac with the OSX keychain, and Linux with the GNOME Keyring (in 2021, it would need a DBus session and libsecret), but in 2021, GCM-Core covers those use cases.

The idea remains: store the PAT in an encrypted credentials store.

---

As mentioned above, the more modern solution (Q4 2020) is Microsoft Git-Credential-Manager-Core

git config --global credential.helper manager-core

You need for that to install git-credential-manager-core, downloading its latest release, like gcmcore-linux_amd64.2.0.474.41365.deb

sudo dpkg -i <path-to-package>
git-credential-manager-core configure

Although, with GCM (Git-Credential-Manager-Core) on Linux, as noted by Mekky Mayata in the comments, you need to define a git config --global credential.credentialStore first.

See "Credential stores on Linux":

There are four options for storing credentials that Git Credential Manager (GCM) manages on Linux platforms:

• freedesktop.org Secret Service API
• GPG/pass compatible files
• Git's built-in credential cache
• Plaintext files

By default, GCM comes not configured.

You can select which credential store to use by setting the GCM_CREDENTIAL_STORE environment variable, or the credential.credentialStore Git configuration setting.

As noted by agent18 in the comments, using git-credential-libsecret after installing libsecret-1-0 and libsecret-1-dev is a good first step.

But, again, that should be now wrapped by credential-manager-core.

Git credential helper - update password

None of these answers ended up working for my Git credential issue. Here is what did work if anyone needs it (I'm using Git 1.9 on Windows 8.1).

To update your credentials, go to Control Panel → Credential Manager → Generic Credentials. Find the credentials related to your Git account and edit them to use the updated password.

Reference: How to update your Git credentials on Windows

Note that to use the Windows Credential Manager for Git you need to configure the credential helper like so:

git config --global credential.helper wincred

If you have multiple GitHub accounts that you use for different repositories, then you should configure credentials to use the full repository path (rather than just the domain, which is the default):

git config --global credential.useHttpPath true

Multiple GitHub accounts on the same computer?

All you need to do is configure your SSH setup with multiple SSH keypairs.

• This link is easy to follow (Thanks Eric):

  http://code.tutsplus.com/tutorials/quick-tip-how-to-work-with-github-and-multiple-accounts--net-22574

• Generating SSH keys (Win/msysgit):

  https://help.github.com/articles/generating-an-ssh-key/

Relevant steps from the first link:

1. Generate an SSH-key:

   ssh-keygen -t ed25519 -C "john@doe.example.com"
   

   Follow the prompts and decide a name, e.g. id_ed25519_example_company.

2. Copy the SSH public-key to GitHub from ~/.ssh/id_ed25519_doe_company.pub and tell ssh about the key:

   ssh-add ~/.ssh/id_ed25519_doe_company
   

3. Create a config file in ~/.ssh with the following contents:

   Host github-doe-company
     HostName github.com
     User git
     IdentityFile ~/.ssh/id_ed25519_doe_company
   

4. Add your remote:

   git remote add origin git@github-doe-company:username/repo.git
   

   or change using:

   git remote set-url origin git@github-doe-company:username/repo.git
   

---

Also, if you're working with multiple repositories using different personas, you need to make sure that your individual repositories have the user settings overridden accordingly:

Setting user name, email and GitHub token – Overriding settings for individual repos
https://help.github.com/articles/setting-your-commit-email-address-in-git/

Note:
Some of you may require different emails to be used for different repositories, from git 2.13 you can set the email on a directory basis by editing the global config file found at: ~/.gitconfig using conditionals like so:

[user]
    name = Default Name
    email = defaultemail@example.com

[includeIf "gitdir:~/work/"]
    path = ~/work/.gitconfig

And then your work-specific config ~/work/.gitconfig would look like this:

[user]
    name = Pavan Kataria
    email = pavan.kataria@example.com

Thank you @alexg for informing me of this in the comments.

How do I provide a username and password when running git clone git@remote.git?

Based on Michael Scharf's comment:

You can leave out the password so that it won't be logged in your Bash history file:

git clone https://username@github.com/username/repository.git

It will prompt you for your password.

Alternatively, you may use:

git clone https://username:password@github.com/username/repository.git

This way worked for me from a GitHub repository.

---

Related Topics