如何保护Azure DevOps存储库
[英]How to secure Azure DevOps repository
问题描述
It is possible to clone a fresh repository created in Azure DevOps, without being prompted for a password or security token. 
可以克隆在Azure DevOps中创建的新存储库,而无需提示输入密码或安全令牌。 For example, after creating the Repo, it is possible to clone the repository from the command line using: 例如,在创建存储库之后,可以使用以下命令从命令行克隆存储库:
https://username@dev.azure.com/organization-name/project-name/_git/repo-name
There was no prompt to authenticate on the desktop command line before cloning the repository. 在克隆存储库之前,没有提示在桌面命令行上进行身份验证。 My concern is that anyone can guess URL strings and try to clone private repositories. 我担心的是,任何人都可以猜测URL字符串并尝试克隆私有存储库。
When choosing to clone a repository, I have created a password, and also created a personal access token, but still no prompt for any security on the command line. 当选择克隆存储库时,我已经创建了密码,并且还创建了个人访问令牌,但是在命令行上仍然没有任何安全提示。
What is the proper way to secure an Azure DevOps repository? 保护Azure DevOps存储库的正确方法是什么?
2 个解决方案
解决方案1
0 2019-04-28 00:07:47
Azure DevOps, like most Git hosting sites, provides both public and private repositories. 与大多数Git托管站点一样,Azure DevOps提供公共和私有存储库。 A public repository will be accessible to anyone with the URL; 具有URL的任何人都可以访问公共存储库; a private repository will require authentication. 私有存储库将需要身份验证。
If you aren't seeing any authentication prompts, then it's possible your repository is public. 如果您没有看到任何身份验证提示,则可能您的存储库是公共的。 If so, and you don't want it to be, you can view the repository overview in the web interface, click the pencil icon next to the name, and set the visibility to private. 如果是这样,并且您不希望这样做,则可以在Web界面中查看存储库概述,单击名称旁边的铅笔图标,然后将可见性设置为private。
It's also possible that the repository is already private, but you have credentials stored in your Git credential manager that let you have access to the repository and are therefore not prompted. 存储库可能已经是私有的,但是您的凭证存储在Git凭证管理器中,可以让您访问存储库,因此不会提示您。 At the Git Bash prompt, you can run GIT_TRACE=1 GIT_CURL_VERBOSE=1 git clone URL and you'll see whether an Authorization header is included. 在Git Bash提示符下,您可以运行GIT_TRACE=1 GIT_CURL_VERBOSE=1 git clone URL ,您将看到是否包含Authorization标头。 If so, you'll probably also see a call to git credential fill to fill the credentials from your credential store. 如果是这样,您可能还会看到对git credential fill的调用,以填充凭证存储中的凭证。 In this case, there's nothing to worry about, since authentication is required, but you're authorized. 在这种情况下,无需担心,因为需要身份验证,但是您已获得授权。
解决方案2
0 2019-04-28 05:05:53
If your repository was actually private , but you did not have any credential prompt, check the output of: 如果您的存储库实际上是private ,但是您没有任何凭据提示,请检查以下内容的输出:
git config credential.helper
On Windows, for example, that would be your Windows Credentials Manager . 例如,在Windows上,这将是Windows Credentials Manager 。
On MacOS, that would be your OSX KeyChain . 在MacOS上,这将是OSX KeyChain 。
If " dev.azure.com " was stored in one of those credentials helpers, that would explain the lack of prompt when cloning a private repository. 如果将“ dev.azure.com ”存储在这些凭证帮助器之一中,这将说明克隆专用存储库时缺少提示。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.