Reputation: 101
How to handle application password in Git repo
I have to set up a ssh connection using python. I am using the pexpect module to which I need to pass user credentials.
I keep my code in a Git repo. How can I handle the password?
Should I -
- Encode it with baseurl64 or
- Keep it in the Jenkins password manager?
What are the best standards you follow?
Upvotes: 1
Views: 214
Answers (1)
Reputation: 76409
You should not store secrets unencrypted in a Git repository. Anyone who obtains a copy of that repository can get access to those secrets. Even if the repository is private, sometimes unauthorized users get access to repositories, and you definitely want to limit the possible damage.
Base64-encoding secrets does not hide them, so you should not use that option. The best way to set up an SSH connection would be to generate a key without a passphrase and store it in your CI secret store, and then in your CI job saving it to a temporary file and using it with ssh -i.
If that's not possible, you can use a password with your pyexpect option and store that in your CI secret store.
Upvotes: 3
Related Questions
- What is the best practice for dealing with passwords in git repositories?
- gitpython git authentication using user and password
- Set credentials to pull from local git repository with PythonGit
- How to store a password in my python script but have it obscured from any users when deployed to Github?
- Python github Pull using username and password
- protect passwords from pushing to GitHub
- Autheticate Github private repo in python
- Gitpython ssh password
- Using github with secret keys
- Adding a layer of authentication to git repositories on a server