How secure is git credential caching with `git config --global credential.helper 'cache`?

Question

How does using git HTTPS credential caching with git config --global credential.helper 'cache compare vs. using git SSH key authentication security wise?

The documentation for git credential.helper cache says:

The stored credentials never touch the disk, and are forgotten after a configurable timeout. The
cache is accessible over a Unix domain socket, restricted to the current user by filesystem permissions.

I found that you can view the HTTPS cache credentials with echo url=https://[example.com] | git credential fill. Not sure about the security implications of this vs using SSH keys. If somebody else SSH-ed into the same device (as a different user with different SSH keys), would they also be able to view the credentials, or because they are a different user, they would not be able to view the credentials this way?

Given that with both methods, if somebody gains access to your system and assumes your user, they can view the passwords or SSH keys, is it correct to say that the HTTPS authentication is generally more secure because it I) expires after a given period II) expires with a restart and III) can be configured to only scoped permissions for certain git actions?

Answer 1

If somebody else SSH-ed into the same device (as a different user with different SSH keys), would they also be able to view the credentials

No, since, as the documentation mentions, the cache is accessible over a Unix domain socket, restricted to the current user by filesystem permissions.

compare vs. using git SSH key authentication security wise?

SSH keys means you are not typing a password.
To achieve the same with HTTPS, it is better to use a persistent cache, rather than a temporary one, where you need to type the password at each session.

The latest one would be GCM-core: Git Credential Manager Core.
It needs to be installed, but once git config credential.helper is set to manager-core, it will store the password (for a given URL) in a secure local vault, using libscret to communicates with the "Secret Service" using D-Bus (gnome-keyring and ksecretservice are both implementations of a Secret Service.)

---

Git 2.40 (Q1 2023) details that cache feature:

See commit 4f54297 (28 Jan 2023) by M Hickford (hickford).
^{(Merged by Junio C Hamano -- gitster -- in commit c6dea59, 08 Feb 2023)}

Documentation: clarify that cache forgets credentials if the system restarts

^{Signed-off-by: M Hickford}

git credential-cache now includes in its man page:

This command caches credentials for use by future Git programs.

The stored credentials are kept in memory of the cache-daemon process (instead of written to a file) and are forgotten after a configurable timeout.

Credentials are forgotten sooner if the cache-daemon dies, for example if the system restarts.

The cache is accessible over a Unix domain socket, restricted to the current user by filesystem permissions.