[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion sometimes needlessly asks for confirmation to store already stored plaintext passwords

From: Senthil Kumaran S <senthil_at_collab.net>
Date: Fri, 18 Jul 2008 15:23:17 +0530

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Arfrever,

Arfrever Frehtes Taifersar Arahesis wrote:
> Subversion asks for confirmation to store plaintext passwords which have been
> already stored when the '--username ${USERNAME}' option is used.
>
> (Stylesen said on #svn-dev that he will be working on a patch.)

As promised here is a patch attached which solves this problem.

[[[
Fix unnecessary plaintext password saving prompt when username is supplied
and password is already cached.

* subversion/libsvn_subr/simple_providers.c
  (svn_auth__simple_first_creds_helper): Start with may_save FALSE, which
   helps in getting the cached results and avoids a plaintext password
   saving prompt when it is not necessary.

Patch by: stylesen
Found by: arfrever
]]]

FYI: The problem reported here exists for a while now, even before r32132.

With this patch we have the following use cases working fine:

1) Supply username in command line without a password. In this case if we have
any cached passwords for this particular username (matching the REALM), use
that and since the password is already cached, we need not prompt for plaintext
storage of password to the user.

<samplerun>
$ svn co http://localhost/svn/repos wc --username harry
Authentication realm: <http://localhost:80> TEST SVN repository
Password for 'harry':
- -----------------------------------------------------------------------
ATTENTION! Your password for authentication realm:

   <http://localhost:80> TEST SVN repository

can only be stored to disk unencrypted! You are advised to configure
your system so that Subversion can store passwords encrypted, if
possible. See the documentation for details.

You can avoid future appearances of this warning by setting the value
of the 'store-plaintext-passwords' option to either 'yes' or 'no' in
'/home/stylesen/.subversion/servers'.
- -----------------------------------------------------------------------
Store password unencrypted (yes/no)? yes
Checked out revision 0.

$ svn co http://localhost/svn/repos wc --username harry
Checked out revision 0.
</samplerun>

2) Username and password supplied in command line. In this case since both
username and passwords are supplied (this is analogous to non-interactive) we
need not prompt the user for caching palintext passwords. Ultimately nothing is
cached in the auth area.

<samplerun>
$ svn co http://localhost/svn/repos wc --username harry --password somepass
Checked out revision 0.
</samplerun>

For this use case 2) we can check whether the username/password combo for this
REALM is already cached in the auth area, if not prompt the user for plaintext
password saving. This check will add additional lines of code, which I think is
not necessary, FWIW. Since the user himself is passing the credentials in the
command line and there is no point in caching this once again.

3) Do not supply either username or password.

a) If we do not have a username/password combo in the auth cache, default to
the OS username and prompt for a password, which leads to a plaintext
password caching prompt for this REALM with the username/password combo got
from the user.

<samplerun>
$ svn co http://localhost/svn/repos wc
Authentication realm: <http://localhost:80> TEST SVN repository
Password for 'stylesen':
- -----------------------------------------------------------------------
ATTENTION! Your password for authentication realm:

   <http://localhost:80> TEST SVN repository

can only be stored to disk unencrypted! You are advised to configure
your system so that Subversion can store passwords encrypted, if
possible. See the documentation for details.

You can avoid future appearances of this warning by setting the value
of the 'store-plaintext-passwords' option to either 'yes' or 'no' in
'/home/stylesen/.subversion/servers'.
- -----------------------------------------------------------------------
Store password unencrypted (yes/no)? yes
Checked out revision 0.
</samplerun>

b) We consult the auth cache for a username and password for this particular
REALM. If we found an username/password combo for this REALM in the auth
cache, then proceed.

<samplerun>
$ svn co http://localhost/svn/repos wc
Checked out revision 0.
</samplerun>

If I ve left any use cases please let me know.

Thank You.
- --
Senthil Kumaran S
http://www.stylesen.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIgGgL9o1G+2zNQDgRAtYPAJkBtS3PQ/FhjRViOG1SoiZJjfIuBgCeIcif
cg7HWwemuT9c8Twt/oseob8=
=c/vR
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org

Received on 2008-07-18 11:54:49 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.