Jack Repenning wrote:
> On Jan 2, 2008, at 4:02 PM, Branko Čibej wrote:
>
>> I think it is a security issue. If Subversion was compiled with keychain
>> support, it should IMHO never try to store passwords outside the
>> keychain, regardless --(non-)interactive. Same goes for password
>> encryption on Windows, although AFAIK that never requires the user to
>> interactively enter a password.
>>
>> I see two possible solutions here:
>>
>> * Update our whole authn-provider-chain infrastructure so that an
>> authn plugin can tell the authn store code to stop walking the
>> chain -- effectively causing it to not store authentication info.
>
> Interesting thought. This is similar to what auth-providers can do
> within Apache and PAM, I believe: say "yes, it's OK" or "beats me, ask
> someone else" or "absolutely not, don't bother asking anyone else."
>
> In as much as we're only in this conversation due to an OS bug,
> though, is it worth this much work?
I'd hesitate to call it an OS bug. The behaviour on Leopard seems
reasonable to me, it's just unfortunate that it's different than in
older Mac OS versions. So that's a gratuitous change of behaviour, not
quite the same as a bug.
Maybe it wouldn't be such a bad thing to learn from more "experienced"
authn provider architectures. :)
>> * A more Mac-specific solution would cause the keychain provider to
>> lie that it had stored the username and password, even if it in
>> fact didn't. This option seems like a bit of a wart, though.
>
>
> Pretty icky. And what if we ever bite the bullet and solve the
> secure-cache problem on Unix somehow? We'd be setting a precedent.
I absolutely agree. This would be marginally acceptable for a
security-fix backport, but not for a real solution.
-- Brane
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-01-04 05:41:02 CET