On Thu, Mar 20, 2008 at 5:36 PM, Hadmut Danisch <hadmut_at_danisch.de> wrote:
> Hi,
>
> Ryan Schmidt wrote:
> >
> > The Subversion client needs to provide the plain text password to the
> > Apache server during authentication. Suggest a way for this to be
> > accomplished without storing the plain text password on the client's
> > disk.
> In the high security area where I am currently maintaining a protected
> SVN respository, the users are required to reenter the password any time.
>
> Even beyond that requirement, there's another problem:
>
> Some files need to be checked out from SVN with root permissions, but
> with user/password of the person who is root at that very moment. While
> several people share access to the root accounts, nobody should be able
> to check in changes under the name of a different person (or be able to
> read the password from the file system).
>
I don't know much about subversion (just joined), but this caught my eye:
Why are multiple people sharing an account? If you don't trust your users,
then why do you trust them to share an account?
-Dan
>
> If someone really wants to store the password in a local file either for
> good reasons or for not taking care, let him do. But under any
> circumstances avoid storing the password accidently.
>
>
> >
> > Encrypting the password on the client's disk is not a solution unless
> > the Subversion client can also decrypt the password again so it can be
> > provided to Apache in plain text. And if the Subversion client, whose
> > source is public, can do this, then any other software can do this too
> > so it is no more secure than storing the plain text password on disk.
> Mostly correct. But this does not imply that you have to store the
> password if the user does not want this.
>
> (There are better ways to store it locally, e.g. protect it with a
> master password, like firefox, ssh-agent or the gnome/kde wallets do.
>
> A more complicated method for the future might be to use plugins, which
> can access the gnome/kde wallets.)
>
>
> regards
> Hadmut
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
> For additional commands, e-mail: users-help_at_subversion.tigris.org
>
>
--
'Ladislav Sticha, the tall spokesman for Czech Television, told me that the
show's audience was "miniature" — presumably he meant small in number.' -
New York Times, January 24, 2008
Received on 2008-03-21 18:10:03 CET