[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Credentials Caching - Security Guy Not Happy

From: Max Bowsher <maxb_at_ukf.net>
Date: 2004-08-26 10:13:17 CEST

Paul Ossenbruggen wrote:
> Cool ideas everyone, although each seems to have tradeoffs.
>
> The svn+ssh approach is cool, although we would give up the Active
> Directory integration. One of the things that is great about svn https
> is that we are using Active Directory which was requested by the
> security guy. This centralizes access so that we only have one place to
> go when we want to remove access to a resource.

I haven't done it myself, but I'd be surprised if there wasn't a way to gat
PAM (and therefore ssh, and therefore svn+ssh) authenticating against the
AD.

> For the person who asked if we used cvs, no we used Perforce. I doubt
> that is more secure than svn. Even having the passwords, hashed or
> something might be better than complete plain text. Security Guy is
> worried about someone running over to a machine after someone went to
> go for a break, looking in the files and getting the cleartext. Perhaps
> a hash like cvs would be better but I am sure he still would not be
> completely satisfied with that. That would a least prevent someone from
> accessing another computer with that password because the hash would
> only work with svn.

CVS doesn't use a hash, it uses a trivial obfuscation which can be easily
reversed.

Max.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Aug 26 10:19:43 2004

This is an archived mail posted to the Subversion Users mailing list.