[cross-posting to dev]
OK... I'm about to expose my ignorance and Windows-centric perspective
here...
With SQL Server and the Query Analyzer client, I can log on using
"Windows Authentication", and the server somehow magically accepts the
credentials I used to log in to the system. I don't have to re-type my
domain logon and password, and it's not cached anywhere. IIS and
Internet Explorer have some means of exchanging those credentials as
well - if everything's configured "properly."
At this point, all I know is that it's possible for a server process to
accept my existing windows domain authentication even when I'm on a
different machine. I have no idea how that handshake works. I'm
thinking that if we could get Subversion and Apache to work the same
way, we would resolve the security problem with cleartext passwords and
make life happier for most Windows domain users (and admins).
Can someone a) point me to a document explaining (at a high level) how
those existing client/server handshakes work, b) enumerate what would
have to be added to the SVN (or TortoiseSVN) client software and apache
mod_auth_??? to support this kind of seamless authentication mode,
and/or c) explain why that concept just plain won't work between svn and
Apache?
Steve Dwire
________________________________
From: Paul Ossenbruggen [mailto:paul.ossenbruggen@convoii.net]
Sent: Wednesday, August 25, 2004 3:39 PM
To: users@subversion.tigris.org
Subject: Credentials Caching - Security Guy Not Happy
Background:
Our security guy just got wind of the fact that credentials are cached
in clear text on disk, he is not too happy, and has told me that we need
to turn this on:
[auth]
store-auth-creds = no
This I have the feeling will make the system unusable, as I understand
it, every user would have to authenticate every time they performed a
svn command that accessed the server.
Since, I went thought the process of setting up our system so that our
system uses Active Directory to authenticate, this means that our Active
Directory passwords are cached in what is essentially clear text. I
explained to him that the permissions are set so that only the person
who is account is logged in is allowed to see the files but this is not
sufficient for the paranoid security guy because it still means that
someone could read the disk if they have physical access to the machine
and a low level disk utility or root access. Since it is our Active
Directory password in clear text someone could get access to other
servers in the company!
Request:
That in a new version, in the not too distant future, that the auth
directory is encrypted by svn. I mean, it really cool that, we have all
these SSL capabilities in svn and this would be the last chink in the
armor.
Question:
What can I do in the mean time to appease the security guy and still
retain the convenience that the auth-cache provides? I was thinking of
perhaps putting the auth cache in an encrypted directory somehow, how
hard is this to do?
I have about a week to come up with a solution to this or I will be
typing a lot of passwords and will have a lot of unhappy users.
- Paul
PS I am sure our security guy does not mind being called paranoid.
Received on Thu Aug 26 20:05:31 2004