Re: Cached client credentials not encrypted on Win2K with Subversion 1.2.3.

From: John Szakmeister <john_at_szakmeister.net>
Date: 2005-12-15 23:14:49 CET

On Thursday 15 December 2005 11:51, you wrote:
> According to that chapter in the book, the password itself is not
> "encrypted" ( by which you seem to actually mean obfuscated, which is
> entirely different ), instead the entire file is encrypted using
> windows' EFS. That WOULD allow you, as the owner of the file, to open
> it and see the password with notepad, but other users would be denied
> access, and if someone plugged the disk into another computer and tried
> to look at the file with say, a hex editor on the raw partition, they
> would only find encrypted data.

The book is wrong. :-) On Win32, and only Win32, it will encrypt the
password. Take a look at one of the files in
%APPDATA%\Subversion\auth\svn.simple. You'll see that the passtype is
"wincrypt", which is Branko used to encrypt your password with some
logon-related information.

> Looking at my auth cache on this win2k machine though, it does NOT
> appear that the file is encrypted, because the "Encrypt contents to
> secure data" attribute is not set according to explorer, so it does seem
> that this is broken.

Look in the file, you'll see what I mean. :-)

-John

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Dec 15 23:20:46 2005

This is an archived mail posted to the Subversion Users mailing list.