Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Microsoft Open-Sources Git Credential Manager for Mac and Linux (msdn.com)
69 points by dstaheli on Nov 18, 2015 | hide | past | favorite | 28 comments


As has been mentioned (repeatedly) this obviously has no use for people using SSH. Indeed, the goal of this tool is explicitly to be helpful for cloud-hosted repositories in Visual Studio Team Services (formerly Visual Studio Online). This is helpful for teams that enforce two-factor authentication over HTTPS. The article assumes a bit of knowledge about this, but does indeed mention this:

> We ported this tool to Mac and Linux to simplify their authentication to remote Git repositories, in particular those hosted in Visual Studio Team Services (VSTS).


I'm curious why they don't add SSH support to Visual Studio Team Services then. :)

Edit: Apparently they are. But I still think it would've been better to layer two-factor auth on top of SSH keys, since that can be done securely in a 100% offline manner.

Perhaps it's just a cultural difference, since Windows doesn't ship with an SSH client?


Edit: SSH is coming soon.

These are (roughly) orthogonal issues: regardless of whether we support SSH or not, we are going to support HTTPS access to Git repositories. And if we support HTTPS, we must support two-factor authentication. A lot of organizations require this. (In fact, Microsoft itself requires this internally: our authentication to any internal web site uses 2FA.)

So Visual Studio Team Services must support HTTPS with two-factor authentication. This is awfully painful to use git core on the command-line without a credential manager to assist you.


> Are you tired of typing in a user name and password every time you fetch from or push to remote Git repositories?

No, because SSH.


Your ssh key isn't password protected, I take it?


It is. ssh-agent caches it though.


ssh-agent solves that problem.



> Are you tired of typing in a user name and password every time you fetch from or push to remote Git repositories?

No?


No, we have something called private and public keys.


And someplaces, there are these fancy things called Kerberos tickets.


This was exactly my reaction. Solution in search of a problem?


Against a repository hosting service that lacks SSH or rather incentives HTTP(s) over SSH (Visual Studio Team Services, formerly Visual Studio Online), entering credentials is a problem with Git. 98% of Git users won't have this issue, but for those few it is probably the biggest, most annoying issue.


This is not yet for those who use SSH. It's for situations where multi-factor authentication is required, including SMS, phone call, etc. SSH support on VSTS Git repos is coming soon: https://visualstudio.uservoice.com/forums/121579-visual-stud...


I am baffled why would they try to port this for Mac / Linux which already has SSH functionality built-in. It can make sense on Windows where there is no equivalent, by default.


Two-factor authentication is the reason. A use case is to access code from VSTS where two-factor authentication is a forced.


Not everybody who uses a code hosting provider like GitHub or Microsoft Visual Studio Team Services uses SSH. Some people use HTTPS for whatever reason (outbound corporate firewalls and proxies, ease of setup, familiarity, or just personal preference). And I would recommend that those users further use two-factor authentication.

This tools is meant to help those users.


I like the idea of adding second-factor authentication to your Git credentials. But doing this using OAuth to a cloud service just seems like the wrong approach. Use SSH keys, and then either (a) set a good password on your key, or (b) store the key on a hardware token, like a Yubikey. [1]

I think the big problem here is that they're using HTTP(S) as a transport for Git. And there's just not very many options left for layering on extra security if you do that.

[1]: I'm a big fan of Yubikeys for credential storage. You can put them in PGP Smartcard mode, and then use the PGP key with SSH: https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubike...


Remember Microsoft's patented triple-e tactic:

1. Embrace

2. Extend

3. Extinguish

We're at step 2. They've gotten pretty fast at it, I must say.


OAuth for SSH? What the hell are you guys doing? No, stop. Stop. Drop it. Go back to the drawing board and learn what SSH can do apart from password and public key auth (hint: Everything from challenge-response schemes to Kerberos).


Are they using Git SSH at all? I assumed they were using OAuth with Git HTTPS transport...


Yes, but why?


Because VSTS doesn't support SSH


Embrace, extend, extinguish, phase 2?


It's not what they're doing (they don't have SSH at all), but is there anything wrong in using OAuth2 tokens to authenticate with SSH server? Conceptually, they're just another form of password (pre-shared secret).


honestly this is just sad


Off-topic, but personally what I would really like to have is for my password manager (1Password) to manage the ssh keys.


On the front page:

3 mentions of Visual Studio, 2 mentions of Microsoft, 1 mention of ASP.NET

Yes, yes, yes Microsoft are still bleeding edge with the software :)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: