[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: svnserve password store in clear text

From: Ng, Wey Han <weyhan.ng_at_atosorigin.com>
Date: 2004-06-04 05:20:08 CEST

> -----Original Message-----
> From: Mark Phippard [mailto:MarkP@softlanding.com]
> Sent: Thursday, June 03, 2004 10:26 PM
>
> I can understand the concerns being presented in this thread,
> but at what point do you have to ask why you are not just
> using the Apache option? Then you could just use your native
> profiles and passwords.

I have and Apache is not an option. I am not a developer and not an
administrator. I was put into the position to setup a subversion server
because of office politics. So the subversion server is a stand alone server
and will not have the users account in the box. I do not feel the need to
give shell access to all the developers using subversion. svnserve actually
fulfill all of my needs except for one, which is password stored as clear
text in passwd file.

> svnserve was at least somewhat meant to be a simple
> alternative to Apache, and that includes the authentication
> options. Even if the passwords were stored in a hashed or
> encrypted format, there would still have to be a way to tell
> them to Subversion so that it could hash/encrypt them to begin
> with. This either means they still have to be entered by you
> in clear text and then some script is run to modify them, or some
> complicated user management system has to be written in svnserve
> to allow the end user to supply this information, or tie svnserve
> in with some native platform authentication system.

User management need not be complicated. I have in fact written a cgi script
for the user to change their password over the web and it is simple.

> At that point,
> I come back to, why not just use Apache if you have these
> requirements? At what point does svnserve start to lose its
> "simplicity"?

If you look at my proposal, I try to keep things simple. I have no intention
to complicate things.

> I realize there are reasons why people prefer to use svnserve
> over Apache, but when you start talking about wanting to use
> your native profiles and passwords and having finer grained
> authorities it seems like you are then ignoring all of the
> benefits that already come with using Apache.

But I don't want native profiles and passwords to be used...

> I started out wtih svnserve, but I soon realized that I
> didn't want to manage profiles and passwords when my Active
> Directory already did all of that, so I just switched to
> Apache. It was not hard, and I get all of those features,
> as well as others "for free".

In my case, even if I decide to use native profiles and passwords, I will
still need to administer those user account. Correct me if I am wrong but I
don't see any benefit going native in my situation. Unless I truly
misunderstood the WebDAV and Apache route, I think svnserve is for me.

Regards,

Han.

----
Ng, Wey-Han
Atos Origin
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Jun 4 05:22:28 2004

This is an archived mail posted to the Subversion Dev mailing list.