git-lfs requires extra authentication

[ousia]

Hi there,

with all my repositories (which don’t have LFS enabled [ŧhey don’t require it]), password is asked only once.

My .gitconfig in Linux also contains:

[core]
    askpass =

But when I add LFS to a repository, I have to enter the password three times.

Because of this, I removed LFS from a repository only containing PDF documents. But over 450MB have to be managed with LFS.

If extra authentication isn’t a bug, my question is why LFS needs it.

Many thanks for your help.

[bk2204]

Hey,

Sorry to hear you're having trouble. Can you run the operation with GIT_TRACE=1 GIT_TRANSFER_TRACE=1 GIT_CURL_VERBOSE=1? Normally we cache the password that's used, but it's possible we're not doing that in the expected way, and that output would be helpful in figuring out why.

In addition, we generally recommend that folks use a credential helper so that they don't need to be prompted for a password.

[ousia]

Hi @bk2204, many thanks for your fast reply.

What I get from git gc && GIT_TRACE=1 GIT_TRANSFER_TRACE=1 GIT_CURL_VERBOSE=1 git push is the following:

git gc && GIT_TRACE=1 GIT_TRANSFER_TRACE=1 GIT_CURL_VERBOSE=1 git push
Counting objects: 14, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (8/8), done.
Writing objects: 100% (14/14), done.
Total 14 (delta 4), reused 14 (delta 4)
21:48:12.032803 git.c:344               trace: built-in: git push
21:48:12.033272 run-command.c:646       trace: run_command: GIT_DIR=.git git-remote-https origin https://ousia@github.com/ousia/gitlfs.git
* Couldn't find host github.com in the .netrc file; using defaults
*   Trying 140.82.118.3...
* TCP_NODELAY set
* Connected to github.com (140.82.118.3) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
  CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: businessCategory=Private Organization; jurisdictionC=US; jurisdictionST=Delaware; serialNumber=5157550; C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=github.com
*  start date: May  8 00:00:00 2018 GMT
*  expire date: Jun  3 12:00:00 2020 GMT
*  subjectAltName: host "github.com" matched cert's "github.com"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA
*  SSL certificate verify ok.
> GET /ousia/gitlfs.git/info/refs?service=git-receive-pack HTTP/1.1
Host: github.com
User-Agent: git/2.17.2
Accept: */*
Accept-Encoding: gzip
Accept-Language: en-US, *;q=0.9
Pragma: no-cache

< HTTP/1.1 401 Authorization Required
< Server: GitHub Babel 2.0
< Content-Type: text/plain
< Content-Length: 21
< WWW-Authenticate: Basic realm="GitHub"
< X-Frame-Options: DENY
< X-GitHub-Request-Id: D70C:43242:987791:D8C2B5:5E66AB8C
< 
* Ignoring the response-body
* Connection #0 to host github.com left intact
* Issue another request to this URL: 'https://ousia@github.com/ousia/gitlfs.git/info/refs?service=git-receive-pack'
* Couldn't find host github.com in the .netrc file; using defaults
* Found bundle for host github.com: 0x56037047b670 [can pipeline]
* Re-using existing connection! (#0) with host github.com
* Connected to github.com (140.82.118.3) port 443 (#0)
* Server auth using Basic with user 'ousia'
> GET /ousia/gitlfs.git/info/refs?service=git-receive-pack HTTP/1.1
Host: github.com
Authorization: Basic b3VzaWE6
User-Agent: git/2.17.2
Accept: */*
Accept-Encoding: gzip
Accept-Language: en-US, *;q=0.9
Pragma: no-cache

< HTTP/1.1 401 Authorization Required
< Server: GitHub Babel 2.0
< Content-Type: text/plain
< Content-Length: 29
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="GitHub"
< X-Frame-Options: DENY
< X-GitHub-Request-Id: D70C:43242:9877A4:D8C2C9:5E66AB8C
< 
* Connection #0 to host github.com left intact
Password for 'https://ousia@github.com': 
* Couldn't find host github.com in the .netrc file; using defaults
* Found bundle for host github.com: 0x56037047b670 [can pipeline]
* Re-using existing connection! (#0) with host github.com
* Connected to github.com (140.82.118.3) port 443 (#0)
* Server auth using Basic with user 'ousia'
> GET /ousia/gitlfs.git/info/refs?service=git-receive-pack HTTP/1.1
Host: github.com
Authorization: Basic b3VzaWE6YnJlbnRhbmlhbmEx
User-Agent: git/2.17.2
Accept: */*
Accept-Encoding: gzip
Accept-Language: en-US, *;q=0.9
Pragma: no-cache

< HTTP/1.1 200 OK
< Server: GitHub Babel 2.0
< Content-Type: application/x-git-receive-pack-advertisement
< Transfer-Encoding: chunked
< Expires: Fri, 01 Jan 1980 00:00:00 GMT
< Pragma: no-cache
< Cache-Control: no-cache, max-age=0, must-revalidate
< Vary: Accept-Encoding
< X-Frame-Options: DENY
< X-GitHub-Request-Id: D70C:43242:9878EA:D8C2EB:5E66AB8C
< 
* Connection #0 to host github.com left intact
21:48:21.154159 run-command.c:646       trace: run_command: .git/hooks/pre-push origin https://ousia@github.com/ousia/gitlfs.git
21:48:21.159231 git.c:576               trace: exec: git-lfs pre-push origin https://ousia@github.com/ousia/gitlfs.git
21:48:21.159264 run-command.c:646       trace: run_command: git-lfs pre-push origin https://ousia@github.com/ousia/gitlfs.git
trace git-lfs: exec: git 'version'
trace git-lfs: exec: git '-c' 'filter.lfs.smudge=' '-c' 'filter.lfs.clean=' '-c' 'filter.lfs.process=' '-c' 'filter.lfs.required=false' 'rev-parse' 'HEAD' '--symbolic-full-name' 'HEAD'
trace git-lfs: exec: git 'config' '-l'
trace git-lfs: pre-push: refs/heads/master 30765ac59d5c6c527791b9f697953472f2f6b08d refs/heads/master a621825ed4ef9f40de7e4f307dd16a5f16501332
Password for 'https://ousia@github.com': 
trace git-lfs: creds: git credential fill ("https", "github.com", "")
Password for 'https://ousia@github.com': 
trace git-lfs: Filled credentials for https://ousia@github.com/ousia/gitlfs.git
trace git-lfs: HTTP: POST https://ousia@github.com/ousia/gitlfs.git/info/lfs/locks/verify
> POST /ousia/gitlfs.git/info/lfs/locks/verify HTTP/1.1
> Host: github.com
> Accept: application/vnd.git-lfs+json; charset=utf-8
> Authorization: Basic * * * * *
> Content-Length: 36
> Content-Type: application/vnd.git-lfs+json; charset=utf-8
> User-Agent: git-lfs/2.5.1 (GitHub; linux amd64; go 1.10.4)
> 
{"ref":{"name":"refs/heads/master"}}trace git-lfs: HTTP: 200


< HTTP/1.1 200 OK
< Content-Length: 41
< Content-Type: application/vnd.git-lfs+json
< Date: Mon, 09 Mar 2020 20:48:46 GMT
< X-Frame-Options: DENY
< X-Github-Request-Id: D710:40735:3327E0B:49B65E5:5E66ABAD
< 
trace git-lfs: creds: git credential approve ("https", "github.com", "")
trace git-lfs: HTTP: {"ours":[],"theirs":[],"next_cursor":""}

{"ours":[],"theirs":[],"next_cursor":""}
trace git-lfs: tq: running as batched queue, batch size of 100
trace git-lfs: run_command: git rev-list --stdin --objects --not --remotes=origin --
trace git-lfs: run_command: git cat-file --batch
trace git-lfs: tq: sending batch of size 0
trace git-lfs: filepathfilter: rewrite ".git" as "**/.git/**"
trace git-lfs: filepathfilter: rewrite "**/.git" as "**/.git"
trace git-lfs: filepathfilter: rejecting "tmp" via []
trace git-lfs: filepathfilter: accepting "tmp"
21:48:46.208915 run-command.c:646       trace: run_command: git send-pack --stateless-rpc --helper-status --thin --progress https://ousia@github.com/ousia/gitlfs.git/ --stdin
21:48:46.212601 git.c:344               trace: built-in: git send-pack --stateless-rpc --helper-status --thin --progress https://ousia@github.com/ousia/gitlfs.git/ --stdin
21:48:46.213650 run-command.c:646       trace: run_command: git pack-objects --all-progress-implied --revs --stdout --thin --delta-base-offset --progress
21:48:46.216925 git.c:344               trace: built-in: git pack-objects --all-progress-implied --revs --stdout --thin --delta-base-offset --progress
Counting objects: 2, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (2/2), 266 bytes | 266.00 KiB/s, done.
Total 2 (delta 1), reused 1 (delta 0)
* Couldn't find host github.com in the .netrc file; using defaults
* Found bundle for host github.com: 0x56037047b670 [can pipeline]
* Re-using existing connection! (#0) with host github.com
* Connected to github.com (140.82.118.3) port 443 (#0)
* Server auth using Basic with user 'ousia'
> POST /ousia/gitlfs.git/git-receive-pack HTTP/1.1
Host: github.com
Authorization: Basic b3VzaWE6YnJlbnRhbmlhbmEx
User-Agent: git/2.17.2
Accept-Encoding: gzip
Content-Type: application/x-git-receive-pack-request
Accept: application/x-git-receive-pack-result
Content-Length: 419

* upload completely sent off: 419 out of 419 bytes
< HTTP/1.1 200 OK
< Server: GitHub Babel 2.0
< Content-Type: application/x-git-receive-pack-result
< Transfer-Encoding: chunked
< Expires: Fri, 01 Jan 1980 00:00:00 GMT
< Pragma: no-cache
< Cache-Control: no-cache, max-age=0, must-revalidate
< Vary: Accept-Encoding
< X-Frame-Options: DENY
< X-GitHub-Request-Id: D70C:43242:987C87:D8C4B1:5E66AB95
< 
remote: Resolving deltas: 100% (1/1), completed with 1 local object.
* Connection #0 to host github.com left intact
To https://github.com/ousia/gitlfs.git
   a621825..30765ac  master -> master

BTW, before the third password prompt, I get this message before an OpenSSH dialogue window pops up:

trace git-lfs: creds: git credential fill ("https", "github.com", "")

How can I totally disable those OpenSSH popup windows in Linux?

Many thanks for your help.

[bk2204]

Hey,

The reason you're seeing this is because Git LFS needs credentials in addition to Git, and there's no way to pass these credentials along from Git to Git LFS. If you want to avoid this, then you'll need to use a credential helper. You can run git config --global credential.helper cache to use the cache credential helper which will cache the credentials for about five minutes, or if you're on a Linux system with a desktop environment, you can use the libsecret credential helper if it's available (or, on Debian and Ubuntu, you can copy /usr/share/doc/git/contrib/credential/libsecret/ somewhere else and then build it after installing the libsecret-1-dev package).

You're likely seeing the window because either core.askpass is set somewhere in your config or because GIT_ASKPASS or SSH_ASKPASS is set in the environment. Those are the places we look for an askpass helper.

[ousia]

@bk2204, many thanks for your reply.

If LFS cannot use the authentication from Git, my question would be why it needs to ask for the password twice.

Many thanks for your help.

[bk2204]

There are two operations here which do not share state, and those are lock verification and the actual upload. It would be nice if in the future we shared the credentials between them, but we don't at this point, and even if we did, it's possible (because the requests can be to different servers) that it might require multiple authentication requests.

If you aren't using locking, you can disable it with the lfs.<url>.locksverify option, and then it won't prompt you for authentication for that.

[ideasman42]

Note that caching credentials does not help when using a security token (which physically needs to be touched 5 times in my case, with a few seconds delay between each touch).

Is there some way to disable git-lfs when pushing? (assuming none of the changes relate to git-lfs)

[xmedeko]

@ideasman42 See this advice: git -c lfs.locksverify=false push ...