https://github.com/frederick888/git-credential-keepassxc

Helper that allows Git (and shell scripts) to use KeePassXC as credential store
https://github.com/frederick888/git-credential-keepassxc

cli command-line command-line-tool git keepass keepassxc password-manager password-safety password-store rust shell-scripting

Last synced: about 3 hours ago
JSON representation

Helper that allows Git (and shell scripts) to use KeePassXC as credential store

• Host: GitHub
• URL: https://github.com/frederick888/git-credential-keepassxc
• Owner: Frederick888
• License: gpl-3.0
• Created: 2020-05-08T21:48:32.000Z (over 4 years ago)
• Default Branch: master
• Last Pushed: 2024-08-12T11:18:56.000Z (3 months ago)
• Last Synced: 2024-10-13T16:10:46.420Z (25 days ago)
• Topics: cli, command-line, command-line-tool, git, keepass, keepassxc, password-manager, password-safety, password-store, rust, shell-scripting
• Language: Rust
• Homepage:
• Size: 839 KB
• Stars: 188
• Watchers: 8
• Forks: 8
• Open Issues: 11
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# `git-credential-keepassxc`

[![GitHub Actions Status](https://github.com/Frederick888/git-credential-keepassxc/workflows/Build%20and%20Test/badge.svg)](https://github.com/Frederick888/git-credential-keepassxc/actions)

[![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)

[![crates.io version](https://img.shields.io/crates/v/git-credential-keepassxc?color=greenyellow&cacheSeconds=1800)](https://crates.io/crates/git-credential-keepassxc)

`git-credential-keepassxc` is a [Git credential](https://git-scm.com/docs/gitcredentials) helper that allows Git (and shell scripts) to get/store logins from/to [KeePassXC](https://keepassxc.org/).

It communicates with KeePassXC using [keepassxc-protocol](https://github.com/keepassxreboot/keepassxc-browser/blob/develop/keepassxc-protocol.md), which was originally designed for browser extensions.

## How to install

### Quick

1. Install [Rust](https://www.rust-lang.org/) compiler via [rustup](https://rustup.rs/) or your favourite package manager

0. Run `cargo install --locked git-credential-keepassxc` and it will be installed to [Cargo installation root](https://doc.rust-lang.org/cargo/commands/cargo-install.html#description)

### Pre-Built Binaries (Experimental)

Experimental pre-built binaries are available at the [GitHub release page](https://github.com/Frederick888/git-credential-keepassxc/releases).

`*-minimal` ones are built with no optional features, and `*-full` ones are built with all.

### Optional features

`git-credential-keepassxc` has the following optional features:

| Feature         | Description                                                                                                      |

|-----------------|------------------------------------------------------------------------------------------------------------------|

| `all`           | Enable all features                                                                                              |

| `notification`  | Desktop notifications, helpful if `git-credential-keepassxc` is used in scripts                                  |

| `yubikey`       | Allow encrypting configuration file using YubiKey HMAC-SHA1                                                      |

| `strict-caller` | Enforce caller limiting when associated databases exist (see [Limiting callers](#limiting-callers) for details!) |

You can use [cargo-update](https://crates.io/crates/cargo-update) to make the features persistent across updates.

```sh

# install cargo-update first

$ cargo install --locked cargo-update

# enable and persist features

$ cargo install --locked --features ... git-credential-keepassxc

# note the different order of package name and --feature (singular) flag

$ cargo install-update-config git-credential-keepassxc --enforce-lock --feature ...

# later when you update

$ cargo install-update git-credential-keepassxc

```

## Configuration

Similar to the browser extensions, `git-credential-keepassxc` needs to be associated with KeePassXC first:

```sh

# enable browser integration in KeePassXC settings, then

$ git-credential-keepassxc caller me  # only required if compiled with strict-caller, see Limiting callers

$ git-credential-keepassxc configure

$ git config --global --replace-all credential.helper 'keepassxc --git-groups'

```

A dedicated group (by default `Git`) will be created. If you want to use credentials from other groups, please check out [Filtering results](#filtering-results).

For more options, run `git-credential-keepassxc -h` to show the help message.

## Limiting callers

`git-credential-keepassxc` allows you to limit callers of the program:

```sh

# don't forget to add yourself first

$ git-credential-keepassxc caller me

Gonna save current caller to allowed callers list:

{

  "path": "/usr/bin/zsh",

  "uid": 1000,

  "gid": 1000,

  "canonicalize": false

}

Press Enter to continue...

# then add Git

$ git-credential-keepassxc caller add --uid "$(id -u)" --gid "$(id -g)" "$(command -v git)"

# you may also need to add other executables in /usr/lib/git-core/

# run `git config --global --replace-all credential.helper 'keepassxc -vv --git-groups'` to enable logs if any Git subcommand is blocked

$ sh -c 'printf "url=https://example.com\nusername=foo\n" | git-credential-keepassxc get'

May 10 12:51:56.108 ERRO /usr/bin/bash (uid=1000, gid=1000) is not allowed to call git-credential-keepassxc, Caused by: N/A

$ printf 'url=https://example.com\nusername=foo\n' | git credential fill

May 10 12:52:53.995 WARN Request get-logins failed. Error: No logins found, Error Code: 15

May 10 12:52:53.995 ERRO Request get-logins failed, Caused by: N/A, Message: Request get-logins failed

# disable this function

$ git-credential-keepassxc caller clear

```

*Note:* If you've enabled `strict-caller`, you must add caller profiles before configuring databases, otherwise you won't be able to run `git-credential-keepassxc` afterwards.

## Encrypting KeePassXC keys using YubiKey

By default the keys for authentication are stored in plaintext, which can be particularly dangerous if you've allowed clients to retrieve any credentials without confirmation.

`git-credential-keepassxc` is capable of encrypting these keys using YubiKey HMAC-SHA1 Challenge-Response. First make sure you've enabled the `yubikey` feature, then:

```sh

# encrypt using YubiKey slot 2 and a randomly generated challenge

$ git-credential-keepassxc encrypt challenge-response

```

To decrypt the keys:

```sh

$ git-credential-keepassxc decrypt

```

For more details, see: [wiki/Encryption](https://github.com/Frederick888/git-credential-keepassxc/wiki/Encryption)

## Filtering results

### By group names

`--group `. This option can be repeated. This is the name of the group itself. Paths are not supported.

### By dedicated Git group names

`--git-groups`. This uses the names of the groups created by `git-credential-keepassxc configure [--group ]`.

Note if you have more than one database, it's recommended to use the same group name, as this option filters all results using all the group names.

### By an advanced string field

1. In KeePassXC, go to Tools -> Settings -> Browser Integration -> Advanced, enable `Return advanced string fields which start with "KPH: "` (this is enabled by default)

0. Open the entry you'd like to hide

0. Go to Advanced

0. Add an additional attribute `KPH: git` (the space after colon is required) of which the value is `false`

### A note on `git-credential-keepassxc store`

Since `git-credential-keepassxc store` consists of looking up existing entries and then updating or creating one, these filters can also stop it from updating certain entries.

This is *important* as Git may call `git-credential-keepassxc store` after validating a password, and it can update your login password entry rather than the API token one.

## Scripting

`git-credential-keepassxc` can also help manage credentials in shell scripts. You can send a request via standard input in the [git-credential input/output format](https://git-scm.com/docs/git-credential#IOFMT) then process the response.

Accepted fields in input (unknown fields are ignored):

- `url`

- `username`

- `password` (`store` requests only)

Responses are in the same format. Alternatively `get`, `totp`, and `generate-password` responses can also be formatted in JSON with `--json` flag; `get` and `totp` also support `--raw` flag.

For instance, to connect to a Remote Desktop service:

```sh

#!/usr/bin/env -S bash -euET -o pipefail -O inherit_errexit

trap 'notify-send "RDP Failure" "Failed to connect to Remote Desktop service"' ERR

HOST="example.com"

PORT="3389"

USERNAME="Administrator"

PASSWORD="$(printf 'url=rdp://%s:%s\nusername=%s\n' "$HOST" "$PORT" "$USERNAME" | git-credential-keepassxc get | sed -n 's/^password=//p')"

xfreerdp /v:"$HOST:$PORT" /cert-tofu /cert:ignore \

    /size:2560x1620 /smart-sizing /scale:140 /scale-desktop:140 /scale-device:140 \

    +compression /compression-level:2 +clipboard +themes +wallpaper \

    /t:Example +decorations /u:"$USERNAME" /p:"$PASSWORD"

```

## Troubleshooting and more

[Wiki](https://github.com/Frederick888/git-credential-keepassxc/wiki)