[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: request: ssh session passwords

From: Juraj Simlovic <jsimlo_at_matfyz.cz>
Date: 2007-11-03 13:09:27 CET

>> Our server administrator does not allow us to login by private keys. He
>> thinks it is not safe, because we tend to store such keys on usb sticks,
>> which then get stolen, etc, etc. Furthermore, we are sharing computers,
>
> Isn't that a contradiction? You share computers but using private keys
> are considered unsafe?
> IMHO sharing computers is much worse.

I guess he simply does not know that we share computers. To be specific,
I am student of a University and the computers belong to school library.
It is quite obvious, why I share the same computer with other students.
But this is not, what matters in this request.

>> Would it be possible to remember this password during the entire session?
> Define "session" here please. Because whatever you choose as a session,
> it will always be wrong and unsafe.

Typing the password three times to see checkout, or typing the password
six (or more times) to see a diff isn't? There might be plenty of people
watching my fingers doing the same thing over and over again.. Quite a
chance I would say. Nevertheless, I wasn't able to see the second diff,
since I wasn't able to finish my password twelve times in a row. Many
features are unusable and worthless through ssh this way. Believe me.

> * if the session is as long as the window/dialog is open, then what
> happens if you leave your station with the window open?

The very same thing as if I would leave WinSCP window open. I am really
stupid and all the shame and all the blame goes with me. Btw, this is
what I was requesting: this kind of "session" definition. If an option
is given, like "Remember this password for this window and its childs",
then the risk goes with the user who clicks that option. Why would you
try to prevent the user to do, what he wants/needs to do? Note that any
kind of workaround (e.g. setup a "temporary" putty session with stored
password, which needs to be manually deleted before log off) is worse.
E.g. When the power goes off by accident, the password remains on the
hard drive.

There is also one other working possibility: tsvn session while user
session. I.e. Until the user logs off. If the tsvn is not a service all
of its processes are terminated upon logoff, all runtime info wiped out.
It is somehow less secure from your point of view, but it still might be
appreciated if available through an option. If the user chooses this
option (and I would, since I never forget to log off) and then forgets
to log off, all the blame goes with him alone, doesn't it?

I hope you can see my point of view. In a nutshell: The feature I am
requesting is inevitable for me and all other users like me. Right now
we are all forced to use workarounds, which are much less secure than a
feature we are asking for.

Many thanks,
With kind Regards,jsimlo

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tortoisesvn.tigris.org
For additional commands, e-mail: users-help@tortoisesvn.tigris.org
Received on Sat Nov 3 13:23:49 2007

This is an archived mail posted to the TortoiseSVN Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.