On Wed, Dec 16, 2009 at 19:09, Jonathan Paton
<unique-f54haq34_at_jpaton.com> wrote:
> On 16/12/2009 22:37, naox wrote:
>>> Actually, if plink (or TortoisePlink) is requesting the password, it STR
>>> that plink should be responsible for saving it. Otherwise, plink would need
>>> some method of passing it back to TortoiseSVN.
>>>
>> Of course plink is requesting password since TortoiseSVN failed to provide it :)
>>
>> This whole conversation is text book example how opensource is being developed. I covered all those reply topics in my first post, but nobody cared to read it carefully. Funny thing is I actualy don't use TortoiseSVN. A colegue asked me to make this request :)
>>
>
> In your original email you said that TortoiseSVN stores the passwords
> for http and
> https. And not for SSH.
>
> I believe that passwords in TortoiseSVN are stored in plain text in the
> Windows
> Registry.
Both of those statements are false.
1) The Subversion libraries (NOT TortoiseSVN - TSVN just uses the SVN
libraries; the command-line client behaves exactly the same way) cache
HTTP(S) credentials in %APPDATA%\Subversion on Windows, not the
Registry.
2) The cached credentials are encrypted using the Windows Crypto API,
which uses the user account's SID as part of the key. I recently
converted from an NT Domain to Active Directory, which resulted in a
"new" user account on my laptop; when I copied my profile data over to
the new account, I had to re-enter my credentials because the key used
by Crypto had changed (my SID changed), so the cached credentials were
no longer readable.
> If true TortoiseSVN doesn't take password security that
> seriously. And
> that means I don't want TortoiseSVN to store important passwords.
Then it's a good thing it's not true.
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2431033
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2009-12-17 05:06:36 CET