On 14 Jan 2003, Karl Fogel wrote:
> <rbb@rkbloom.net> writes:
> > I realize that most people would like to have an auth cache by default,
> > but it is a security hole regardless of where you put the passwords on the
> > box. You need to make sure that the user knows what they are doing before
> > you write their password to the box. CVS makes it obvious by making you
> > "login" before it writes your password to the HD. SVN just writes the
> > password by default.
> >
> > I have no problem moving the auth cache out of the wc, I think that is a
> > requirement, but the default needs to be not saving the password to the
> > box. If people don't want to type their password on every operation, then
> > they either shouldn't use the WebDav transport, or we should implement
> > client certs (which is also on my short list of things to do).
>
> I think the security/convenience tradeoff starts to swing the other
> way at this point.
>
> Getting them out of the WC is necessary. People expect (from CVS)
> that a WC does not contain their passwords.
>
> But having it in ~/.subversion/, in a location readable only by that
> user and by root, is fine. Remember, we're talking about http basic
> auth passwords here -- anyone who has root on the client box could
> just sniff the network to get them too.
>
> So I think storing them in ~/.subversion/ rather than the WC is a good
> trade for us to make.
That's fine, but I won't implement it. I disagree with this solution, and
you are making a rather large assumption about being able to sniff the
network. I only use SVN over SSL, because of the ability to sniff the
password off the wire. Also, there is the ability to implement digest
authentication to resolve that problem.
Ryan
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Jan 14 18:58:40 2003