[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: RFC: Encrypting ~/.subversion/auth on Windows

From: Sigfred Håversen <bsdlist_at_mumak.com>
Date: 2004-11-13 01:31:28 CET

On Friday 12 November 2004 22.53, Branko Čibej wrote:
> We all know that storing passwords in cleartext in ~/.subversion/auth is
> not nice, but that a portable solution will take some doing. However,
> there's an easiy way to protect that dir even from superusers on Windows
> 2000 and newer, when the user's config dir is on an NTFS volume: Simply
> encrypt the directory when it's created. In order to do this in
> newly-created config directories, all it takes is an additional system
> call (well, taking care that it doesn't barf on older systems).
> Would it make sense to do something like that? I think it would be a
> huge improvement, at least on the PR front.
> We could also recommend to users to encrypt existing auth directories,
> it's a single command:
> cipher /E /A "%APPDATA%/Subversion/auth"

Slightly offtopic, why not encrypt the passwords for svnserve? httpd does it
with htpasswd, and it should not be such a burden for repo admins to use
something like "svnpasswd". Granted, many (most?) passwords are quickly
broken, but those that have stronger requirements will benefit from this.


PS How often do we reuse the same password elsewhere? Quite often? Probably
yes. There is a limit of how many passwords/pincodes we can remember.....

To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Nov 13 01:31:45 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.