[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: RFC: Encrypting ~/.subversion/auth on Windows

From: Ben Reser <ben_at_reser.org>
Date: 2004-11-13 00:35:25 CET

On Fri, Nov 12, 2004 at 04:40:29PM -0600, Ben Collins-Sussman wrote:
> My question is: what problem are we trying to solve?
> Through repeated discussions with users, my impression is that the
> problem is that an administrator (or perhaps someone sitting with you
> at your terminal) can accidentally glance at a cleartext password.
> CVS solves this particular problem by doing a trivial rot-13-esque
> scrambling on the contents of .cvspass. Not real crypto, just enough
> to prevent accidental glances. Couldn't we do something like that? It
> would be simple It would be portable -- not requiring any OS-specific
> code.
> Somebody could do it as bite-sized task:
> * add a couple of scramble/descramble functions to libsvn_subr.
> * make the client-side auth cache use them. (the auth-cache files
> are just hashtables on disk; add a hash-key that describes the
> scramble method used.)
> * make the svnserve user-db file use them (and add a config variable
> to svnserve.conf that describes the scramble method).
> Seems pretty easy, and users ask about this problem all the time. I'd
> much rather see this done, rather than adding more "#ifdef win32"
> things to our code.

As if that really stops anything:
cat file | rot

So much for the rotation. The purpose here is to make it so users don't
have to enter anything to gain access to repos. We can't secure that
and we shouldn't. If people want more security they need to realize
that they need to enter passwords.

As far as administrators glancing at passwords. I simply don't buy that
as a valid argument. If the person is an admin then they are an admin.
They already have access to more than that person anyway.

Further the primary argument about admins glancing at passwords is about
the svnserve password setup not the client side.

So I'm pretty negative about adding any type of obfucation. It simply
gives people a false sense of security that doesn't exist. If they can
open the file and see the contents in plaintext then they'll realize
they need to take care with it.

Ben Reser <ben@reser.org>
"Conscience is the inner voice which warns us somebody may be looking."
- H.L. Mencken
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Nov 13 00:35:32 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.