[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Is there any alternative to setting client certificate / passphrase in servers file?

From: Travis P <twp_at_castle.fastmail.fm>
Date: 2004-04-09 07:28:42 CEST

On Apr 8, 2004, at 11:14 PM, Kirill Lapshin wrote:

> I am trying to setup repository exposed only over SSL. Finally I got
> it right, the only remaining problem is how to avoid annoying
> challenges for certificate / passphrase on every svn command?
> The only way mentioned in book is editing servers file, but servers is
> a way to setup global parameters, not per-user ones,

The $HOME/.subversion/servers file (or Windows equivalent) is a
per-user customization of his or her interaction with servers. So,
yes, that servers is the place to put the information. I have
something like this in mine (stylized here and the files can go
anywhere you want them of course):

#============================
[groups]
cornocopiaSvn = svn.cornocopia.com

[cornocopiaSvn]
ssl-authority-files = /home/ME/.subversion/cornocopia-svn-ca.crt
ssltrust-default-ca = false
ssl-client-cert-file = /home/ME/.subversion/my-client-cert.p12
ssl-client-cert-password = p12-CERT-PASS
#============================

> not to mention necessity to put clear text password in config file.

Unfortunately, as far as I can tell, that's where it needs to go. Make
sure the permissions on $HOME/.subversion are suitably restrictive.
I've been thinking that ssl-client-cert-password should allow multiple
specifications pass:/env:/file: like openssl(1) or exec: like
SSLPassPhraseDialog mod_ssl option. That would allow customization of
tradeoffs depending on particular circumstances and values. It would
be especially nice to have an "ssh-agent"-like option (maybe one could
be implemented with the exec: method if that were available).

> First of all, am I misunderstanding something and client certificate
> is actually supposed to be issued to machine running client, not to
> user?

You are correct, client certs are per-user, not per-client-machine.

> Assuming this is the case I don't see any problem with setting
> certificate in config file, but what about passphrase? Is it possible
> to cache it the same way as username/password cached? Or even better,
> should not certificate be imported into subversion client just once,
> similar to way one imports certificate into browser?

Browsers are running the whole time so they can cache in-memory. The
'svn' client doesn't have this option because it starts, runs, and then
exits completely. When it caches credentials, it needs to store them
on-disk (persistent memory essentially). It stores them in
$HOME/.subversion/auth/. If you didn't put your key in 'servers' but
you did specify "store-auth-creds = yes" in 'config' (I have it set to
"no"), then it might cache your private key in unencrypted form in that
place (or trivially encrypted), which is no more secure then storing
your password in the 'servers' file.

You'll probably notice that your browser does a similar thing -- it
asks you for some sort of password each time you start your browser
before it has access to the certificate (Mozilla, Firefox, and Safari
all do) because they store the keys encrypted on disk. You don't need
to keep entering your password because you keep your browser running
for a long time.

-Travis

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Apr 9 16:17:37 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.