[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: svnserve password store in clear text

From: Ng, Wey Han <weyhan.ng_at_atosorigin.com>
Date: 2004-06-04 13:49:41 CEST

> -----Original Message-----
> From: Greg Hudson [mailto:ghudson@MIT.EDU]
> Sent: Friday, June 04, 2004 11:41 AM
> Well, here are some svn+ssh options you might not have considered:
> [...]

I have consider svn+ssh but I feel that ssh is also not an option because of
manageability. Where I work security is not a big thing. Getting people to
start install ssh on their workstation is not going to be fun. Getting them
to send me their public key is even worse. Setting up a local account for
every user brings me back to square one.

> (You do have to use pubkey auth for either of these options;
> as far as I know, password auth won't cut it. Just make sure
> the relevant system accounts don't have a password set, i.e.
> put "*" in the password field.)

Humm... if I use public key authenticate users and disable their local
account, I will need to intervene whenever a user have lost their key and
regenerate. If I let them use the local account to setup the svn+ssh
connection, I will need to let them login. See where I am going.

> > User management need not be complicated. I have in fact
> written a cgi script
> > for the user to change their password over the web and it is simple.
> Uh, sure, but presumably that requires setting up a web server, which
> sort of defeats the point of svnserve.

No. Not really. I find that setting up a web server is not the problem. As I
have explain in my other post, office politics and other restriction makes
using apache to access Subversion a complicated affair.

What I am facing is the fact that I need to change the mind set of people
that have been engraved into their head for the pass 8 years. I am not sure
if this is a first but my effort is to move the existing repository from
CMVC and CCCQ to Subversion (Don't ask why. It just have to be done). I'm
sure you can sense that resistance is very high and the less I make user go
through to have access to the svn server, the more likely I will succeed.

If you feel like saying it, I won't blame you because I also think it sucks
to be me. :(

Like I have said before, svnserve is the solution for me except that it
stores password in clear text. I'm willing to get my hands dirty and make
changes for my own use and maybe submit to the project if this is a welcome
change. However, after that many posting, there is really not much
discussion about if my proposed change would work given that security
requirements will be loose. If there is any opinion or suggestion on the
proposal please share.



Ng, Wey-Han
Atos Origin
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Jun 4 13:54:51 2004

This is an archived mail posted to the Subversion Dev mailing list.