[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn authentication

From: Mark Phippard <markp_at_softlanding.com>
Date: 2006-08-30 22:21:54 CEST

"Jim Weir" <javawaba@hotmail.com> wrote on 08/30/2006 03:23:41 PM:

> >It is stored in plain text on the server hard disk, as you see.
>
> Is this a potential security risk? How can I avoid this?

Only you can asses the risk. If you assign usernames and passwords that
do match up with other accounts, then the risk is just that someone can do
something to your repository that you did not want. But if you are
careful about secutiry this file should not be vulnerable anyway. Also,
keep in mind that nothing is ever deleted from a repository so any damage
that is done can be fixed.

The main concern is usually that admins do not want to see user passwords
or deal with this. Some people have created PHP scripts to manage the
file, and others have the developers create a hash of the password they
want to use and then set that as the password. The developer then just
has to recreate the hash and enter that as their password into SVN.

If you are really concerned, the answer is to use the Apache server option
or SSH.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Aug 30 23:07:20 2006

This is an archived mail posted to the Subversion Users mailing list.