[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Subclipse 0.9.33 Released

From: Russel Winder <russel_at_russel.org.uk>
Date: 2005-09-15 10:01:41 CEST

On Wed, 2005-09-14 at 18:00 +0200, Alexander Kitaev wrote:

> way to define a key and passphrase were system properties. Looks like this
> introduced a bug or two, and not easy to reproduce ones - for me svn+ssh
> works well, both password and key auths.

svn+ssh works fine for me once set up. No problems there :-)

> Subversion stores passwords in plain-text when working over plain svn or
> http(s) protocol. And its ok, as "Basic" auth used by most apache servers,
> is not secure at all. "svn" protocol usese challenge-response scheme, but I
> think it could be compromised as well, in case one get a desire to get your
> repository access rights. The idea is to move security to the other layer -
> use ssh tunnels or VPN and make sure your home directory is well protected
> and encrypted if you'd like to get real protection for your data.

I guess we have to use the terms passwords and passphrases quite
carefully here. I have never used username/password with Subversion as
my usage has been for software still in the "commercial secret" stage,
i.e. prior to a decision as to whether to go open source or stay
proprietary. So I have only ever used svn+ssh with SSH keys that have
passphrases -- the server doesn't even have passwords for the login
accounts, SSH access only. Certainly no http access to the subversion
store!

I take your point about the security of http access and it is certainly
"appropriate security in appropriate circumstances". We are being part
paranoid, i.e. we want basic tight security but we are not going to go
to the extent of encrypting the filestore and other such measures.
Clearly there are "man in the middle" and other attacks possible but
there is a cost--benefit trade-off.

SSHs approach to the filestore problem is to require certain permissions
as a kind of sanity check for security. Perhaps requiring
the .subversion/auth/ and all subdirectories to have user only access as
SSH does would go part of the way to ameliorating the potential
problems.

I guess I was surprised about the plain text storage of passphrases. I
would not have expected Subversion (and JavaSVN) to be quite so cavalier
about things like caching sensitive information such as this
particularly with JCE now being a standard part of the JDK.

-- 
Russel.
====================================================
Dr Russel Winder                +44 20 7585 2200
41 Buckmaster Road              +44 7770 465 077
London SW11 1EN, UK             russel@russel.org.uk

Received on Thu Sep 15 18:01:41 2005

This is an archived mail posted to the Subclipse Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.