Everything In Between

If your project so much as pretends to have a profit motive, I will tell you to go fuck yourself and your project.

How to use HTTP Basic Authentication with git

10 comments

Coming right on the heels of my need to set up a git repository on shared hosts, I next wanted to see if I could use HTTP authentication for such a repository. Of course, HTTP authentication is an extremely insecure protocol, but it typically is enough to dissuade the casual user (such as Googlebot) from peeking at things you don’t want available on the public Internet, so it has its uses.

Note that with the set up described in the above-linked previous post, you can only pull over HTTP. This is usually what you want. If you want to be able to push over HTTP as well, git must be compiled with the USE_CURL_MULTI flag.

This is, as it turns out, because git seems to use curl for its HTTP operations, which also obviously means you must have curl installed on your workstation if you don’t already and it also implies that it’s curl, not git which you need to configure. In other words, accessing a git repository that is behind HTTP authentication is exactly the same as accessing one without it, and so is publishing a git repository to an HTTP server. The rest of this short tutorial assumes you have published your repository at http://example.com/git/public-repo.git and are using the Apache web server.

Step 1: Create an HTTP Basic Authentication username and password file

First, you’ll need to create a file that lists the usernames who are permitted to access your repository over HTTP Basic authentication. This is easily accomplished with the htpasswd utility (or your host’s custom web UI, if one is provided). Let’s create a file called .git-htpasswd to store these usernames and passwords.

From your shell, run the following command:

htpasswd -c /path/to/DOCUMENT_ROOT/.git-htpasswd username

where /path/to/DOCUMENT_ROOT is the full path to the root directory of your web site and username is the username you want to add. If you want to add subsequent users to this file, run the same command again without the -c, like this:

htpasswd /path/to/DOCUMENT_ROOT/.git-htpasswd another_username

You’ll then be prompted to enter a password, and then prompted again to verify that you’ve typed it correctly.

Step 2: Configure HTTP Basic Authentication on Apache

Next, configure standard HTTP Basic Authentication on Apache. In most shared hosting environments, you’ll be allowed to configure per-directory passwords using .htaccess files. Some hosts provide web UI interfaces for creating “protected folders,” which is basically the same thing. Make certain that the kind of protection you select is “Basic,” because curl will require that.

To do that, create a new file named .htaccess in your DOCUMENT_ROOT/git directory if one does not already exist with the following contents:

AuthType Basic
AuthName "Git"
AuthUserFile /path/to/DOCUMENT_ROOT/.git-htpasswd
Require valid-user

This tells Apache to look for usernames and passwords in the file named .git-htpasswd we created in step 1.

If everything is set up correctly, you should now be able to access http://example.com/git/public-repo.git in your Web browser and you should be presented with a login dialogue box.

Step 3: Configure curl on your (client) workstation computer

Next, configure your local curl client. git-pull will call curl with its --netrc-optional switch for HTTP operations. This means curl will look for a file named .netrc in your home directory and will read authentication configurations from that file. The format of this file is incredibly simple:

machine yourserver.example.com
username your_username
password your_password

To check if this is working correctly, run curl yourself to access the current HEAD of the public repository and see if you get the expected result:

curl --netrc --location -v http://example.com/git/public-repo.git/HEAD | grep 'ref: refs/heads'

If you see a line of output then you know this is working, otherwise you should double check your work.

Step 4: There is no step four

You’re done. With this configuration, you can git-pull as you normally would, and git will automatically use your .netrc file to enable curl‘s HTTP authentication schemes.

Written by Meitar

August 8th, 2008 at 12:56 am

10 Responses to 'How to use HTTP Basic Authentication with git'

Subscribe to comments with RSS or TrackBack to 'How to use HTTP Basic Authentication with git'.

  1. These instructions were very helpful, though I had to use this as my .netrc file:

    machine yourserver.example.com
    login your_username
    password your_password

    Note using “login” rather than “username”

    Robert

    28 Aug 08 at 2:06 PM

  2. Thanks for this article, and thanks Robert, i had to have ‘login’ as well.

    Darren

    20 Aug 09 at 9:10 PM

  3. […] * How to use HTTP Basic Authentication with git: http://maymay.net/blog/2008/08/08/how-to-use-http-basic-authentication-with-git * How To Set Up WebDAV With Apache2 On Fedora 10: […]

  4. The following step does not work to correct the problem causing error (fatal: git-push is not available for http/https repository when not compiled with USE_CURL_MULTI).

    Step 3: Configure curl on your (client) workstation computer

    mlewis

    18 Dec 09 at 5:03 PM

  5. @mlewis: As I stated in my blog post, the instructions in this setup assume you only want to pull, not push.

    Meitar

    18 Dec 09 at 5:36 PM

  6. if you are interested howto do the same with the new git-http-backend:
    http://www.mobiphil.com/2010/03/git-on-shared-hosting-with-git-http-backend/

    mobi phil

    23 Mar 10 at 4:59 AM

  7. […] are password protected. Rebar itself has no facility for passing in authentication information, but it turns out that git under the hood uses curl to do HTTP Basic authentication. This means that with HTTP Basic […]

  8. […] I answered that netrc is used by curl, and works for http protocol, as shown in this example(look for 'netrc' in the page): . Also used with http protocol here: "_netrc/.netrc alternative […]

  9. […] for push operations is difficult, and it also required a .netrc configuration file for all clients [instructions]. See also the installation instructions by Kulbir […]

Leave a Reply