git-credential-manager icon indicating copy to clipboard operation
git-credential-manager copied to clipboard
verified publisher icon git-ecosystem

Password too long with Windows authentication

Open usinelogicielle opened this issue 3 years ago • 2 comments

Which version of GCM are you using?

$ git credential-manager-core --version
2.0.567+3047faf390

$git lfs env
git-lfs/3.0.1 (GitHub; windows amd64; go 1.17.1)
git version 2.33.1.windows.1

$git --version
git version 2.33.1.windows.1

Which Git host provider are you trying to connect to?

  • [ ] Azure DevOps
  • [ ] Azure DevOps Server (TFS/on-prem)
  • [ ] GitHub
  • [ ] GitHub Enterprise
  • [ ] Bitbucket
  • [x] Other - please describe

We used gitlab on premise for git and Artifactory on premise for git LFS

Expected behavior

The credential with very long characters saved by Windows is entirely saved in the credential manager.

Actual behavior

I have a very long password given by Artifactory. When I enter it in the window for Windows to save it in the login manager. The password is not complete. Then during its use, git says that the credential is not good because it is not complete.

GCM_prompt If I cancel the window, 2 others open and these ones work well. GCM_prompt_user GCM_prompt_pass

It seems the password length is limited to 256 characters but my token has 853 characters.

Logs The real token is : "eyJ2ZXIiOiIyIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYiLCJraWQiOiJIM01iTXh5U3duM2U2Rm1mRjVMUUNNem1KVmdMWmdtNUkyQ2cweUlLYXFJIn0.eyJzdWIiOiJqZnJ0QDAxZDg2OG1razZ4cXgyMGd5NXl0Y2Yxa2YyXC91c2Vyc1wvdmRsaWItdGVzdC10b2tlbiIsInNjcCI6ImFwcGxpZWQtcGVybWlzc2lvbnNcL2dyb3Vwczp2ZGxpYi10ZXN0LXRva2VuLGF1dGhlbnRpY2F0ZWQiLCJhdWQiOiJqZnJ0QDAxZDg2OG1razZ4cXgyMGd5NXl0Y2Yxa2YyIiwiaXNzIjoiamZydEAwMWQ4Njhta2s2eHF4MjBneTV5dGNmMWtmMlwvdXNlcnNcL3JpY2hhcmNoIiwiaWF0IjoxNjU4MzkwNTg0LCJqdGkiOiI3N2Y2N2VmMS0wOWYxLTRlMTctODEyMC04MmEzNTgyOTY4ZGMifQ.LXL0UWoz7waWYuGJAWVYUe79F6wUF42nvtKgFi_pxcrv3dQCBEn2wOWNbhSgeuOgbqYdijX6xDNnGOF09hRz0CZO2CJ7bxLShpYY-0cI4mKfhJwRnagB6boaMhbuUTNWGk-ajcACjrPdQubTbilII6fy93Nt4nSOzgDp78u7ZDxD8-q8sACAQ9lvOO1oaNUEsbaU-_fjGY4PSOJsYe4tqS-NV7xPf0JkINLthiDZz8FCGrznMVE0vQO5__SfMmy1B5g_eCM-eID3gk9XWhYSL8NR9-d3YgSc1LY86OfitBM3P1ska93qD3viipc_BK4VznrC3oepJKqR8mkeFjcXLQ" The log is sanitized from personnal info. All change are between <>. The password is shown but already deleted in our instance.

$ GCM_TRACE=1 GCM_TRACE_SECRETS=1 GIT_CURL_VERBOSE=1 git lfs pull
11:53:46.426912 trace git-lfs: exec: git 'version'
11:53:46.594120 trace git-lfs: exec: git '-c' 'filter.lfs.smudge=' '-c' 'filter.lfs.clean=' '-c' 'filter.lfs.process=' '-c' 'filter.lfs.required=false' 'rev-parse' '--git-dir' '--show-toplevel'
11:53:46.651319 trace git-lfs: exec: uname
11:53:46.796465 trace git-lfs: exec: cygpath '-w' '.git'
11:53:46.904496 trace git-lfs: exec: cygpath '-w' 'C:/Users/<my_user>/workspace/<my_project>'
11:53:47.008400 trace git-lfs: exec: git 'rev-parse' '--is-bare-repository'
11:53:47.057243 trace git-lfs: exec: git 'config' '--includes' '--local' 'lfs.repositoryformatversion'
11:53:47.112620 trace git-lfs: exec: cygpath '-w' 'C:\Users\<my_user>\workspace\<my_project>'
11:53:47.208347 trace git-lfs: exec: git 'config' '--includes' '-l'
11:53:47.261877 trace git-lfs: exec: git 'rev-parse' '--is-bare-repository'
11:53:47.313272 trace git-lfs: exec: git 'config' '--includes' '-l' '-f' 'C:\Users\<my_user>\workspace\<my_project>\.lfsconfig'
11:53:47.366065 trace git-lfs: exec: git '-c' 'filter.lfs.smudge=' '-c' 'filter.lfs.clean=' '-c' 'filter.lfs.process=' '-c' 'filter.lfs.required=false' 'rev-parse' 'HEAD' '--symbolic-full-name' 'HEAD'
11:53:47.416721 trace git-lfs: exec: git '-c' 'filter.lfs.smudge=' '-c' 'filter.lfs.clean=' '-c' 'filter.lfs.process=' '-c' 'filter.lfs.required=false' 'rev-parse' 'HEAD' '--symbolic-full-name' 'HEAD'
11:53:47.474241 trace git-lfs: exec: cygpath '-w' 'C:/Program Files/Git/mingw64/bin/git-askpass.exe'
11:53:47.575038 trace git-lfs: exec: cygpath '-w' 'C:/Program Files/Git/mingw64/bin/git-askpass.exe'
11:53:47.696519 trace git-lfs: tq: running as batched queue, batch size of 100
11:53:47.697555 trace git-lfs: exec: git '-c' 'filter.lfs.smudge=' '-c' 'filter.lfs.clean=' '-c' 'filter.lfs.process=' '-c' 'filter.lfs.required=false' 'ls-tree' '-r' '-l' '-z' '--full-tree' '2927def29590ef27c0c9e7b6a69b77125d5841f3'
11:53:47.702143 trace git-lfs: exec: git '-c' 'filter.lfs.smudge=' '-c' 'filter.lfs.clean=' '-c' 'filter.lfs.process=' '-c' 'filter.lfs.required=false' 'rev-parse' '--git-common-dir'
11:53:47.741830 trace git-lfs: filepathfilter: accepting ".gitattributes"
11:53:47.741830 trace git-lfs: filepathfilter: accepting ".lfsconfig"
11:53:47.741830 trace git-lfs: filepathfilter: accepting "README.md"

11:53:47.783942 trace git-lfs: exec: cygpath '-w' '.git'
11:53:47.933109 trace git-lfs: exec: cygpath '-w' '.git'

11:53:48.076409 trace git-lfs: exec: git 'update-index' '-q' '--refresh' '--stdin'

11:53:48.083270 trace git-lfs: fetch <project_path_for_jar>xml-apis.jar [00e7ff4fb2f424bb3c6031b6e7ad03c2badf7af08c1798c8ede6a5d7b7843520]
11:53:48.136747 trace git-lfs: tq: sending batch of size 1
11:53:48.136747 trace git-lfs: api: batch 1 files
11:53:48.136747 trace git-lfs: creds: git credential fill ("https", "<artifactory_host>", "")
11:53:48.137782 trace git-lfs: exec: git 'credential' 'fill'
11:53:48.518607 ...pplicationBase.cs:75 trace: [RunAsync] Tracing of secrets is enabled. Trace output may contain sensitive information.
11:53:48.532695 ...\Application.cs:95   trace: [RunInternalAsync] Version: 2.0.567.18224
11:53:48.532695 ...\Application.cs:96   trace: [RunInternalAsync] Runtime: .NET Framework 4.0.30319.42000
11:53:48.532695 ...\Application.cs:97   trace: [RunInternalAsync] Platform: Windows (x86-64)
11:53:48.532695 ...\Application.cs:98   trace: [RunInternalAsync] OSVersion: 10.0 (build 18363)
11:53:48.532695 ...\Application.cs:99   trace: [RunInternalAsync] AppPath: C:\Program Files\Git\mingw64\libexec\git-core\git-credential-manager-core.exe
11:53:48.532695 ...\Application.cs:100  trace: [RunInternalAsync] Arguments: get
11:53:48.586562 ...GitCommandBase.cs:33 trace: [ExecuteAsync] Start 'get' command...
11:53:48.595526 ...GitCommandBase.cs:47 trace: [ExecuteAsync] Detecting host provider for input:
11:53:48.596522 ...GitCommandBase.cs:48 trace: [ExecuteAsync]   protocol=https
11:53:48.596522 ...GitCommandBase.cs:48 trace: [ExecuteAsync]   host=<artifactory_host>
11:53:48.784991 ...viderRegistry.cs:147 trace: [GetProviderAsync] Performing auto-detection of host provider.
11:53:48.887289 ...viderRegistry.cs:152 trace: [GetProviderAsync] Auto-detect probe timeout is 2 ms.
11:53:48.889283 ...viderRegistry.cs:160 trace: [GetProviderAsync] Checking against 3 host providers registered with priority 'Normal'.
11:53:48.891280 ...viderRegistry.cs:175 trace: [GetProviderAsync] Querying remote URL for host provider auto-detection.
info: detecting host provider for 'https://<artifactory_host>/'...
11:53:48.892275 ...pClientFactory.cs:58 trace: [CreateClient] Creating new HTTP client instance...
11:53:49.583461 ...pClientFactory.cs:97 trace: [CreateClient] Custom certificate verification has been enabled with certificate bundle at C:/Users/<my_user>/<SSL_certificate>
11:53:50.055047 ...etHostProvider.cs:70 trace: [IsSupported] Host isn't supported as Bitbucket
11:53:50.055047 ...viderRegistry.cs:160 trace: [GetProviderAsync] Checking against 1 host providers registered with priority 'Low'.
11:53:50.056043 ...GitCommandBase.cs:50 trace: [ExecuteAsync] Host provider 'Generic' was selected.
11:53:50.058051 ...\HostProvider.cs:126 trace: [GetCredentialAsync] Looking for existing credential in store with service=https://<artifactory_host> account=...
11:53:50.240043 ...\HostProvider.cs:131 trace: [GetCredentialAsync] No existing credentials found.
11:53:50.240043 ...\HostProvider.cs:134 trace: [GetCredentialAsync] Creating new credential...
11:53:50.433807 ...icHostProvider.cs:58 trace: [GenerateCredentialAsync] Checking host 'https://<artifactory_host>/' for Windows Integrated Authentication...
11:53:50.435801 ...Authentication.cs:34 trace: [GetIsSupportedAsync] HTTP: HEAD https://<artifactory_host>/
11:53:50.435801 ...pClientFactory.cs:58 trace: [CreateClient] Creating new HTTP client instance...
11:53:51.103103 ...pClientFactory.cs:97 trace: [CreateClient] Custom certificate verification has been enabled with certificate bundle at C:/Users/<my_user>/<SSL_certificate>
11:53:51.344177 ...Authentication.cs:37 trace: [GetIsSupportedAsync] HTTP: Response code ignored.
11:53:51.344177 ...Authentication.cs:39 trace: [GetIsSupportedAsync] Inspecting WWW-Authenticate headers...
11:53:51.344177 ...icHostProvider.cs:63 trace: [GenerateCredentialAsync] Host does not support WIA.
11:53:51.344177 ...icHostProvider.cs:84 trace: [GenerateCredentialAsync] Prompting for basic credentials...
11:55:00.012405 ...\HostProvider.cs:136 trace: [GetCredentialAsync] Credential created.
11:55:00.014398 ...GitCommandBase.cs:54 trace: [ExecuteAsync] End 'get' command...
11:55:00.068467 trace git-lfs: Filled credentials for https://<artifactory_host>/artifactory/api/lfs/<project_artifactory_repository>-lfs-local
11:55:00.075934 trace git-lfs: exec: cygpath '-w' 'C:/Users/<my_user>/<SSL_certificate>'
11:55:00.189469 trace git-lfs: HTTP: POST https://<artifactory_host>/artifactory/api/lfs/<project_artifactory_repository>-lfs-local/objects/batch
> POST /artifactory/api/lfs/<project_artifactory_repository>-lfs-local/objects/batch HTTP/1.1
> Host: <artifactory_host>
> Accept: application/vnd.git-lfs+json; charset=utf-8
> Authorization: Basic * * * * *
> Content-Length: 231
> Content-Type: application/vnd.git-lfs+json; charset=utf-8
> User-Agent: git-lfs/3.0.1 (GitHub; windows amd64; go 1.17.1)
>
{"operation":"download","objects":[{"oid":"00e7ff4fb2f424bb3c6031b6e7ad03c2badf7af08c1798c8ede6a5d7b7843520","size":123705}],"transfers":["basic","ssh","lfs-standalone-file"],"ref":{"name":"refs/heads/master"},"hash_algo":"sha256"}11:55:00.416279 trace git-lfs: HTTP: 401


< HTTP/1.1 401
< Content-Length: 80
< Connection: keep-alive
< Content-Type: application/json;charset=ISO-8859-1
< Date: Thu, 21 Jul 2022 09:54:57 GMT
< Www-Authenticate: Basic realm="Artifactory Realm"
<
11:55:00.416471 trace git-lfs: HTTP: {
  "errors" : [ {
    "status" : 401,
    "message" : "Bad credentials"
  } ]
}
{
  "errors" : [ {
    "status" : 401,
    "message" : "Bad credentials"
  } ]
}11:55:00.418728 trace git-lfs: exec: git 'credential' 'reject'
11:55:00.854481 ...pplicationBase.cs:75 trace: [RunAsync] Tracing of secrets is enabled. Trace output may contain sensitive information.
11:55:00.868444 ...\Application.cs:95   trace: [RunInternalAsync] Version: 2.0.567.18224
11:55:00.868444 ...\Application.cs:96   trace: [RunInternalAsync] Runtime: .NET Framework 4.0.30319.42000
11:55:00.868444 ...\Application.cs:97   trace: [RunInternalAsync] Platform: Windows (x86-64)
11:55:00.868444 ...\Application.cs:98   trace: [RunInternalAsync] OSVersion: 10.0 (build 18363)
11:55:00.868444 ...\Application.cs:99   trace: [RunInternalAsync] AppPath: C:\Program Files\Git\mingw64\libexec\git-core\git-credential-manager-core.exe
11:55:00.868444 ...\Application.cs:100  trace: [RunInternalAsync] Arguments: erase
11:55:00.919647 ...GitCommandBase.cs:33 trace: [ExecuteAsync] Start 'erase' command...
11:55:00.929620 ...GitCommandBase.cs:47 trace: [ExecuteAsync] Detecting host provider for input:
11:55:00.930616 ...GitCommandBase.cs:48 trace: [ExecuteAsync]   protocol=https
11:55:00.931615 ...GitCommandBase.cs:48 trace: [ExecuteAsync]   host=<artifactory_host>
11:55:00.931615 ...GitCommandBase.cs:48 trace: [ExecuteAsync]   username=vdlib-test-token
11:55:00.931615 ...GitCommandBase.cs:48 trace: [ExecuteAsync]   password=eyJ2ZXIiOiIyIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYiLCJraWQiOiJIM01iTXh5U3duM2U2Rm1mRjVMUUNNem1KVmdMWmdtNUkyQ2cweUlLYXFJIn0.eyJzdWIiOiJqZnJ0QDAxZDg2OG1razZ4cXgyMGd5NXl0Y2Yxa2YyXC91c2Vyc1wvdmRsaWItdGVzdC10b2tlbiIsInNjcCI6ImFwcGxpZWQtcGVybWlzc2lvbnNcL2dyb3Vwczp2
11:55:01.186174 ...viderRegistry.cs:147 trace: [GetProviderAsync] Performing auto-detection of host provider.
11:55:01.308658 ...viderRegistry.cs:152 trace: [GetProviderAsync] Auto-detect probe timeout is 2 ms.
11:55:01.309671 ...viderRegistry.cs:160 trace: [GetProviderAsync] Checking against 3 host providers registered with priority 'Normal'.
11:55:01.311665 ...viderRegistry.cs:175 trace: [GetProviderAsync] Querying remote URL for host provider auto-detection.
info: detecting host provider for 'https://<artifactory_host>/'...
11:55:01.312665 ...pClientFactory.cs:58 trace: [CreateClient] Creating new HTTP client instance...
11:55:01.966922 ...pClientFactory.cs:97 trace: [CreateClient] Custom certificate verification has been enabled with certificate bundle at C:/Users/<my_user>/<SSL_certificate>
11:55:02.456167 ...etHostProvider.cs:70 trace: [IsSupported] Host isn't supported as Bitbucket
11:55:02.456167 ...viderRegistry.cs:160 trace: [GetProviderAsync] Checking against 1 host providers registered with priority 'Low'.
11:55:02.457164 ...GitCommandBase.cs:50 trace: [ExecuteAsync] Host provider 'Generic' was selected.
11:55:02.457164 ...\HostProvider.cs:173 trace: [EraseCredentialAsync] Erasing stored credential in store with service=https://<artifactory_host> account=vdlib-test-token...
11:55:02.646246 ...\HostProvider.cs:180 trace: [EraseCredentialAsync] No credential was erased.
11:55:02.647244 ...GitCommandBase.cs:54 trace: [ExecuteAsync] End 'erase' command...
11:55:02.669178 trace git-lfs: api: http response indicates "basic" authentication. Resubmitting...
11:55:02.669178 trace git-lfs: creds: git credential fill ("https", "<artifactory_host>", "")
11:55:02.670223 trace git-lfs: exec: git 'credential' 'fill'
11:55:03.030448 ...pplicationBase.cs:75 trace: [RunAsync] Tracing of secrets is enabled. Trace output may contain sensitive information.
11:55:03.044411 ...\Application.cs:95   trace: [RunInternalAsync] Version: 2.0.567.18224
11:55:03.044411 ...\Application.cs:96   trace: [RunInternalAsync] Runtime: .NET Framework 4.0.30319.42000
11:55:03.044411 ...\Application.cs:97   trace: [RunInternalAsync] Platform: Windows (x86-64)
11:55:03.044411 ...\Application.cs:98   trace: [RunInternalAsync] OSVersion: 10.0 (build 18363)
11:55:03.044411 ...\Application.cs:99   trace: [RunInternalAsync] AppPath: C:\Program Files\Git\mingw64\libexec\git-core\git-credential-manager-core.exe
11:55:03.044411 ...\Application.cs:100  trace: [RunInternalAsync] Arguments: get
11:55:03.094346 ...GitCommandBase.cs:33 trace: [ExecuteAsync] Start 'get' command...
11:55:03.103290 ...GitCommandBase.cs:47 trace: [ExecuteAsync] Detecting host provider for input:
11:55:03.104287 ...GitCommandBase.cs:48 trace: [ExecuteAsync]   protocol=https
11:55:03.104287 ...GitCommandBase.cs:48 trace: [ExecuteAsync]   host=<artifactory_host>
11:55:03.280818 ...viderRegistry.cs:147 trace: [GetProviderAsync] Performing auto-detection of host provider.
11:55:03.369582 ...viderRegistry.cs:152 trace: [GetProviderAsync] Auto-detect probe timeout is 2 ms.
11:55:03.370609 ...viderRegistry.cs:160 trace: [GetProviderAsync] Checking against 3 host providers registered with priority 'Normal'.
11:55:03.371578 ...viderRegistry.cs:175 trace: [GetProviderAsync] Querying remote URL for host provider auto-detection.
info: detecting host provider for 'https://<artifactory_host>/'...
11:55:03.373602 ...pClientFactory.cs:58 trace: [CreateClient] Creating new HTTP client instance...
11:55:04.010880 ...pClientFactory.cs:97 trace: [CreateClient] Custom certificate verification has been enabled with certificate bundle at C:/Users/<my_user>/<SSL_certificate>
11:55:04.475608 ...etHostProvider.cs:70 trace: [IsSupported] Host isn't supported as Bitbucket
11:55:04.475608 ...viderRegistry.cs:160 trace: [GetProviderAsync] Checking against 1 host providers registered with priority 'Low'.
11:55:04.476584 ...GitCommandBase.cs:50 trace: [ExecuteAsync] Host provider 'Generic' was selected.
11:55:04.478604 ...\HostProvider.cs:126 trace: [GetCredentialAsync] Looking for existing credential in store with service=https://<artifactory_host> account=...
11:55:04.654788 ...\HostProvider.cs:131 trace: [GetCredentialAsync] No existing credentials found.
11:55:04.654788 ...\HostProvider.cs:134 trace: [GetCredentialAsync] Creating new credential...
11:55:04.831358 ...icHostProvider.cs:58 trace: [GenerateCredentialAsync] Checking host 'https://<artifactory_host>/' for Windows Integrated Authentication...
11:55:04.832355 ...Authentication.cs:34 trace: [GetIsSupportedAsync] HTTP: HEAD https://<artifactory_host>/
11:55:04.832355 ...pClientFactory.cs:58 trace: [CreateClient] Creating new HTTP client instance...
11:55:05.439341 ...pClientFactory.cs:97 trace: [CreateClient] Custom certificate verification has been enabled with certificate bundle at C:/Users/<my_user>/<SSL_certificate>
11:55:05.678546 ...Authentication.cs:37 trace: [GetIsSupportedAsync] HTTP: Response code ignored.
11:55:05.678546 ...Authentication.cs:39 trace: [GetIsSupportedAsync] Inspecting WWW-Authenticate headers...
11:55:05.678546 ...icHostProvider.cs:63 trace: [GenerateCredentialAsync] Host does not support WIA.
11:55:05.678546 ...icHostProvider.cs:84 trace: [GenerateCredentialAsync] Prompting for basic credentials...
11:55:11.416517 trace git-lfs: credential fill error: 'git credential fill' error: exit status 130

11:55:11.417039 trace git-lfs: api error: Git credentials for https://<artifactory_host>/artifactory/api/lfs/<project_artifactory_repository>-lfs-local not found:
credential fill errors:
'git credential fill' error: exit status 130

11:55:11.417039 trace git-lfs: filepathfilter: creating pattern ".git" of type gitignore
11:55:11.417039 trace git-lfs: filepathfilter: creating pattern "**/.git" of type gitignore
11:55:11.417039 trace git-lfs: filepathfilter: accepting "tmp"

Exiting because of "interrupt" signal.

usinelogicielle avatar Jul 21 '22 10:07 usinelogicielle

I faced the same issue and it looks like that issue is restricted to the popup dialog. You can disable the gui popup and switch to a text-based prompt with

[credential]
	guiPrompt = false

See https://github.com/GitCredentialManager/git-credential-manager/blob/main/docs/environment.md#gcm_gui_prompt.

ferraith avatar Jul 29 '22 08:07 ferraith

Thx for the answer @ferraith I already tried the guiPrompt and the env variable GCM_GUI_PROMPT=0 but doesn't work for me. The popup is always displayed. I don't understand why.

usinelogicielle avatar Jul 29 '22 13:07 usinelogicielle

The main branch now contains a replacement prompt that should avoid the "too long" problems. It will be included in the next GCM release.

mjcheetham avatar Sep 28 '22 15:09 mjcheetham

@usinelogicielle - our secret scanning software detected a token in your description. Here are the recommended remediation steps:

  1. Rotate the secret if it's in use to prevent breaking workflows.
  2. Revoke this JFrog Platform Access Token through JFrog to prevent unauthorized access. Learn more about JFrog tokens.
  3. Check security logs for potential breaches.

We recommend following these steps immediately.

ldennington avatar Jun 19 '23 17:06 ldennington

@ldennington No worries, this token was created only for this issue. Already deleted in our plateform :)

usinelogicielle avatar Jun 20 '23 18:06 usinelogicielle

Thanks for confirming!

ldennington avatar Jun 20 '23 18:06 ldennington