How to make git not ask for password at pull?

Question

I have the following setup:

A server (centOS) with git and a repository for a project on the same server.

What I need to do is to be able to pull from the repository without being asked for password (because is annoying).

Note: I am logged as root when I pull.

Can anyone help me with that?

Answer 1

There are a few options, depending on what your requirements are, in particular your security needs. For both HTTP and SSH, there is password-less, or password required access.

HTTP

==============

Password-Less

Useful for fetch only requirements, by default push is disabled. Perfect if anonymous cloning is the intention. You definitely shouldn't enable push for this type of configuration. The man page for git-http-backend contains good information, online copy at http://www.kernel.org/pub/software/scm/git/docs/git-http-backend.html. It provides an example of how to configure apache to provide this.

User/password in .netrc or url embedded

Where .netrc files are using in the form:

machine <hostname> login <username> password <password>

And embedded urls would be in the form:

http://user:pass@hostname/repo

Since git won't do auth for you, you will need to configure a webserver such as apache to perform the auth, before passing the request onto the git tools. Also keep in mind that using the embedded method is a security risk, even if you use https since it is part of the url being requested.

If you want to be able to pull non-interactive, but prevent anonymous users from accessing the git repo, this should be a reasonably lightweight solution using apache for basic auth and preferably the .netrc file to store credentials. As a small gotcha, git will enable write access once authentication is being used, so either use anonymous http for read-only, or you'll need to perform some additional configuration if you want to prevent the non-interactive user from having write access.

See:

• httpd.apache.org/docs/2.4/mod/mod_auth_basic.html for more on configuring basic auth
• www.kernel.org/pub/software/scm/git/docs/git-http-backend.html for some examples on the apache config needed.
  
  
  

SSH

==============

Passphrase-Less

Opens up for security issues, since anyone who can get a hold of the ssh private key can now update the remote git repo as this user. If you want to use this non-interactively, I'd recommend installing something like gitolite to make it a little easier to ensure that those with the ssh private key can only pull from the repo, and it requires a different ssh key pair to update the repo.

See github.com/sitaramc/gitolite/ for more on gitolite.

stromberg.dnsalias.org/~strombrg/ssh-keys.html - for creating password less ssh keys: May also want to cover managing multiple ssh keys: www.kelvinwong.ca/2011/03/30/multiple-ssh-private-keys-identityfile/

Passphase protected

Can use ssh-agent to unlock on a per-session basis, only really useful for interactive fetching from git. Since you mention root and only talk about performing 'git pull', it sounds like your use case is non-interactive. This is something that might be better combined with gitolite (github.com/sitaramc/gitolite/).

Summary

==============

Using something like gitolite will abstract a lot of the configuration away for SSH type set ups, and is definitely recommended if you think you might have additional repositories or need to specify different levels of access. It's logging and auditing are also very useful.

If you just want to be able to pull via http, the git-http-backend man page should contain enough information to configure apache to do the needful.

You can always combine anonymous http(s) for clone/pull, with passphrase protected ssh access required for full access, in which case there is no need to set up gitolite, you'll just add the ssh public key to the ~/.ssh/authorized_keys file.

Answer 2

See the answer to this question. You should use the SSH access instead of HTTPS/GIT and authenticate via your SSH public key. This should also work locally.