[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: RFC: Encrypting ~/.subversion/auth on Windows

From: Sigfred Håversen <bsdlist_at_mumak.com>
Date: 2004-11-13 01:31:28 CET

On Friday 12 November 2004 22.53, Branko Čibej wrote:
> We all know that storing passwords in cleartext in ~/.subversion/auth is
> not nice, but that a portable solution will take some doing. However,
> there's an easiy way to protect that dir even from superusers on Windows
> 2000 and newer, when the user's config dir is on an NTFS volume: Simply
> encrypt the directory when it's created. In order to do this in
> newly-created config directories, all it takes is an additional system
> call (well, taking care that it doesn't barf on older systems).
>
> Would it make sense to do something like that? I think it would be a
> huge improvement, at least on the PR front.
>
> We could also recommend to users to encrypt existing auth directories,
> it's a single command:
>
> cipher /E /A "%APPDATA%/Subversion/auth"

Slightly offtopic, why not encrypt the passwords for svnserve? httpd does it
with htpasswd, and it should not be such a burden for repo admins to use
something like "svnpasswd". Granted, many (most?) passwords are quickly
broken, but those that have stronger requirements will benefit from this.

/Sigfred

PS How often do we reuse the same password elsewhere? Quite often? Probably
yes. There is a limit of how many passwords/pincodes we can remember.....

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Nov 13 01:31:45 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.