是否可以使用非交互式的默认Windows凭据对远程Git存储库进行身份验证?
[英]Is it possible to authenticate to a remote Git repository using the default windows credentials non interactively?
问题描述
My remote Git repository is hosted by the on premises TFS server. 
我的远程Git存储库由内部TFS服务器托管。 There are two ways to access its content: 有两种方法可以访问其内容:
- Using TFS Restful API - https://docs.microsoft.com/en-us/rest/api/vsts/git/items/get?view=vsts-rest-4.1 使用TFS Restful API - https://docs.microsoft.com/en-us/rest/api/vsts/git/items/get?view=vsts-rest-4.1
- Using native git client, eg the
git clonecommand使用本机git客户端,例如git clone命令
To use the Restful API one can use the powershell Invoke-RestMethod command with the -UseDefaultCredentials and it works fine, no questions asked. 要使用Restful API,可以使用powershell Invoke-RestMethod命令和-UseDefaultCredentials ,它可以正常工作,没有问题。
With git clone , however, I have no idea how to use the default credentials. 但是,使用git clone ,我不知道如何使用默认凭据。 The manager credential helper does not use them. 经理凭证助手不使用它们。 When used for the first time it asks for the credentials. 首次使用时,它会要求提供凭据。
So, the options I see are: 所以,我看到的选项是:
- There an alternative git client, maybe with a limited functionality, but good enough to run clone that can use the default windows credentials. 有一个替代的git客户端,可能具有有限的功能,但足以运行可以使用默认Windows凭据的克隆。
- There is a credential helper for windows that can use the default windows credentials. 有一个可以使用默认Windows凭据的Windows凭据帮助程序。
- There is an askpass implementation for windows that can use the default windows credentials. 有一个可以使用默认Windows凭据的Windows的askpass实现。
The problem is that I could not find anything on the web that implements any of these options. 问题是我在网上找不到任何实现这些选项的东西。
Edit 1 编辑1
The approach suggested in https://github.com/git-for-windows/git/wiki/FAQ#how-do-i-access-a-repository-hosted-on-a-microsoft-team-foundation-server-inside-a-windows-domain does not seem to work. 在https://github.com/git-for-windows/git/wiki/FAQ#how-do-i-access-a-repository-hosted-on-a-microsoft-team-foundation-server-中建议的方法inside-a-windows-domain似乎不起作用。 Please, observe: 请观察:
C:\xyz\DevOps> $GitApiUrl
http://tfsserver:8080/tfs/DefaultCollection/code/_apis/git/repositories/MyConfigData
C:\xyz\DevOps> $ProjectName
dev_smoketest56oc
C:\xyz\DevOps> Test-Path .\params.json
False
C:\xyz\DevOps> Invoke-RestMethod -Uri "$GitApiUrl/items?path=$ProjectName.json&api-version=4.1" -UseDefaultCredentials -OutFile params.json
C:\xyz\DevOps> Test-Path .\params.json
True
As you can see the Restful API works without asking for credentials. 正如您所看到的,Restful API可以在不需要凭据的情况下工作。 Now let us try git clone: 现在让我们尝试git clone:
C:\xyz\DevOps> $env:GIT_TRACE=1
C:\xyz\DevOps> git clone http://:@tfsserver:8080/tfs/DefaultCollection/code/_git/MyApp a
09:13:21.405748 exec-cmd.c:236 trace: resolved executable dir: C:/Program Files/Git/mingw64/bin
09:13:21.406249 git.c:415 trace: built-in: git clone http://:@tfsserver:8080/tfs/DefaultCollection/code/_git/MyApp a
Cloning into 'a'...
09:13:21.430369 run-command.c:637 trace: run_command: git remote-http origin http://:@tfsserver:8080/tfs/DefaultCollection/code/_git/MyApp
09:13:21.459149 exec-cmd.c:236 trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:13:21.460654 git.c:654 trace: exec: git-remote-http origin http://:@tfsserver:8080/tfs/DefaultCollection/code/_git/MyApp
09:13:21.460654 run-command.c:637 trace: run_command: git-remote-http origin http://:@tfsserver:8080/tfs/DefaultCollection/code/_git/MyApp
09:13:21.481711 exec-cmd.c:236 trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:13:21.539575 run-command.c:637 trace: run_command: 'git credential-manager erase'
09:13:21.642660 exec-cmd.c:236 trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:13:21.644162 git.c:654 trace: exec: git-credential-manager erase
09:13:21.644162 run-command.c:637 trace: run_command: git-credential-manager erase
fatal: Authentication failed for 'http://:@tfsserver:8080/tfs/DefaultCollection/code/_git/MyApp/'
C:\xyz\DevOps> $env:GIT_TRACE=0
C:\xyz\DevOps>
Authentication failed. 验证失败。
Edit 2 编辑2
On the bash console: 在bash控制台上:
$ GIT_CURL_VERBOSE=1
$ curl -v --ntlm -u : http://tfsserver:8080/tfs/DefaultCollection/code/_git/MyApp -o 1.html 2> out.txt
$ curl -v --ntlm -u : http://:@tfsserver:8080/tfs/DefaultCollection/code/_git/MyApp -o 2.html 2> out2.txt
The files 1.html and 2.html seem to represent the web page of the repository as in the browser, so both curl commands are successful. 文件1.html和2.html似乎代表了浏览器中的存储库的网页,因此两个curl命令都是成功的。
The output files out.txt and out2.txt are very similar, the differences are in timestamps, guids and crypto strings. 输出文件out.txt和out2.txt非常相似,区别在于时间戳,guids和加密字符串。 So, here is out.txt (I took the liberty to remove empty lines and scrub a few strings): 所以,这里是out.txt(我冒昧地删除空行并擦洗几个字符串):
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 192.168.17.155...* TCP_NODELAY set* Connected to tfsserver (192.168.17.155) port 8080 (#0)* Server auth using NTLM with user ''> GET /tfs/DefaultCollection/code/_git/MyApp HTTP/1.1
> Host: tfsserver:8080
> Authorization: NTLM ***SCRUBBED***
> User-Agent: curl/7.60.0
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Content-Type: text/html; charset=us-ascii
< Server: Microsoft-HTTPAPI/2.0
< WWW-Authenticate: NTLM ***SCRUBBED***
< Date: Thu, 15 Nov 2018 23:07:58 GMT
< Content-Length: 341
<
* Ignoring the response-body{ [341 bytes data]
100 341 100 341 0 0 642 0 --:--:-- --:--:-- --:--:-- 642* Connection #0 to host tfsserver left intact* Issue another request to this URL: 'http://tfsserver:8080/tfs/DefaultCollection/code/_git/MyApp'* Found bundle for host tfsserver: 0x4116f20 [can pipeline]* Re-using existing connection! (#0) with host tfsserver* Connected to tfsserver (192.168.17.155) port 8080 (#0)* Server auth using NTLM with user ''> GET /tfs/DefaultCollection/code/_git/MyApp HTTP/1.1
> Host: tfsserver:8080
> Authorization: NTLM ***SCRUBBED***
> User-Agent: curl/7.60.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Cache-Control: no-cache, no-store, must-revalidate
< Pragma: no-cache
< Content-Type: text/html; charset=utf-8
< Expires: -1
< Server: Microsoft-IIS/8.5
< X-TFS-ProcessId: e5b67424-832f-468b-8787-c7c05aef5396
< ActivityId: 50f62941-8163-4ee9-9c2b-81359ca72838
< X-TFS-Session: 50f62941-8163-4ee9-9c2b-81359ca72838
< X-VSS-E2EID: 50f62941-8163-4ee9-9c2b-81359ca72838
< X-FRAME-OPTIONS: SAMEORIGIN
< X-VSS-UserData: 34be4ed8-c4fd-4e9f-bdae-d1843df36b0f:mkharitonov
< X-AspNetMvc-Version: 4.0
< X-AspNet-Version: 4.0.30319
< Set-Cookie: __RequestVerificationToken_L3Rmcw2=***SCRUBBED***; path=/; HttpOnly
< Set-Cookie: __RequestVerificationToken27563503a-8c73-4ee0-8930-e1f466b255f5=***SCRUBBED***; path=/; HttpOnly
< Persistent-Auth: true
< X-Powered-By: ASP.NET
< P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
< Lfs-Authenticate: NTLM
< X-Content-Type-Options: nosniff
< Date: Thu, 15 Nov 2018 23:07:58 GMT
< Content-Length: 120608
<
{ [183 bytes data]
100 117k 100 117k 0 0 167k 0 --:--:-- --:--:-- --:--:-- 167k* Connection #0 to host tfsserver left intact
1 个解决方案
解决方案1
3 已采纳 2018-11-16 07:23:16
I cannot verify it to the end, but probably you should set http.emptyAuth to true in config (command git config --global http.emptyAuth true ). 我不能确认到底,但可能你应该设置http.emptyAuth到true的配置(命令git config --global http.emptyAuth true )。 At least after setting it my git 2.19.1.windows.1 has sent a Authorization: Negotiate ... header to a server which advertises this protocol. 至少在设置它之后我的git 2.19.1.windows.1已向发布此协议的服务器发送了Authorization: Negotiate ...标头。
Bottom line: 底线:
git config --global http.emptyAuth true
Does it if LFS is not in the picture. 是否LFS不在图片中。 If LFS is involved, then prepend the host name with :@ , eg 如果涉及LFS,则在主机名前加上:@ ,例如
http://:@tfsserver:8080/tfs/DefaultCollection/code/_git/MyApp
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.