如何在不使用 SSH 密钥的情况下从脚本输入 git push 密码?
我需要编写一个脚本,可以在不使用 SSH 密钥的情况下将标签从构建服务器推送到 git 服务器。
更多的人可以访问构建服务器而不是 git 服务器,因此 SSH 密钥将不起作用,因为任何人都可以在不指定自己的凭据的情况下推送到 git 服务器。
该脚本将从 Jenkins/Hudson 运行,它在开始构建时提示用户输入用户名和密码,然后将它们作为环境变量传递给脚本。
问题是,我找不到方法强制 git 以编程方式接受密码。
我尝试过:
echo %password% | git push
以及
git push < tempfilewithpassword.txt (not that writing the password to a temp file is a good idea anyway).
但是在这两种情况下 git 仍然提示输入密码。
更新:我也尝试过 python 脚本,重定向 stdin 和 stdout,没有运气,仍然得到提示。
更新:此外,我尝试了 Windows 的 Expect,它在控制台或 Expect 本身中都没有得到提示(IE Expect 从未看到来自 git 的任何输出,它最终只是超时)。
有什么建议吗?
注意:让我澄清一下,因为人们真的很沉迷于使用 SSH 密钥。
要求:
- 应在构建开始时指定凭据(Jenkins 接受它们,并将它们传递给我的脚本)。
- 凭证仅在本次构建期间有效。
- 凭证可以从一个版本更改到下一个版本。
据我所知,涉及设置 SSH 密钥的任何内容都无法满足此要求(除非我要求用户在启动脚本时上传其 SSH 密钥,这很不方便)。
I need to write a script that can push a tag from a build server to a git server WITHOUT USING SSH KEYS.
More people have access to the build server than to the git server, so SSH keys won't work because then anyone could push to the git server without specifying their own credentials.
The script will be run from Jenkins/Hudson, which prompts the user for a username and password when it begins the build, then passes them as environment variables to the script.
The problem is, I can find no way to force git to accept the password programmatically.
I tried:
echo %password% | git push
as well as
git push < tempfilewithpassword.txt (not that writing the password to a temp file is a good idea anyway).
But in both cases git still prompts for the password.
UPDATE: I also have tried a python script, redirecting stdin and stdout, no luck, still get the prompt.
UPDATE: Additionally I tried Expect for Windows, which does NOT get a prompt, either in the console OR in Expect itself (I.E. Expect never sees any output from git, it just times out eventually).
Any suggestions?
NOTE: Let me clarify, because people are really getting hung up on using SSH keys.
Requirements:
- The credentials should be specified at the beginning of the build (Jenkins accepts them, and passes them to my script).
- The credentials last ONLY for the duration of this single build.
- The credentials can change from one build to the next.
As far as I know, NOTHING that involves setting up SSH keys will satisfy this (unless I require the user to upload their SSH key when they initiate the script, which is not convenient).
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果您不希望任何人对您的 git 存储库进行推送访问,请在构建服务器上创建一个单独的用户,除了您之外没有人可以访问该用户,并确保其主目录只能由您自己读取。当您想要从脚本对存储库进行标记或其他推送时,将使用此用户。现在您可以正常设置 ssh 密钥了。
但是,我想知道,为什么必须是构建服务器来启动推/拉?包含您的存储库的计算机上的脚本无法启动它吗?那么整个问题就毫无意义了,不是吗?
If you don't want anyone to have push access to your git repository, create a separate user on the build server which no-one but you has access to, and ensure its home directory is readable only by yourself. This user will be used when you want to do tagging or other pushing to your repository from the script. Now you can set up ssh keys normally.
However, I have to wonder, why does it have to be the build server that initiates the push/pull? Can't a script on the machine which contains your repo initiate it? Then the whole issue would be moot, surely?