[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Credentials Caching - Security Guy Not Happy

From: Vincent Thornley <vthornley_at_iee.org>
Date: 2004-08-27 10:58:25 CEST

Paul Ossenbruggen wrote:

> Another possibility, that someone suggested, is writing some sort of shell
> script that caches the password. We would turn off caching. This
> might be an
> immediate solution that would not be hard to implement, however his also
> might restrict the full set of commands available. Also our TortoiseSvn
> users would not be happy with this. Seems like Tortoise could cache the
> password in its process, but I am pretty sure it does not.

From 1.1 RC1 Tortoise separately encrypts and stores authentication data
itself and it is recommended that the subversion plaintext password cache is
turned off.

> The last solution, being advocated by Security Guy, which
> requires the least
> amount of change, is to turn off the cache and make people type a lot of
> passwords. Does anyone have experience with this and how annoying
> it is? He
> is judging that we might have maybe 10 commands per developer per
> day where
> we have to enter our passwords, since it is only the commands talk to the
> server that need to authenticate. I would guess it is more like 20-50.

If your users extensively use Tortoise and the CL client is seldom needed
this shouldn't be a problem. Turn off the cache. Tortoise will store the
passwords encrypted and the few times it is necessary to resort to the
command line it shouldn't be too bad to have to type the password.


To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Aug 27 10:58:58 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.