[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Credentials Caching - Security Guy Not Happy

From: Paul Ossenbruggen <paul.ossenbruggen_at_convoii.net>
Date: 2004-08-28 02:54:34 CEST

This is good news, I think we might be able to live with this. Since
it seems most of our users are using Tortoise. Thanks!

- Paul

On Aug 27, 2004, at 1:58 AM, Vincent Thornley wrote:

> Paul Ossenbruggen wrote:
>
> [snip]
> > Another possibility, that someone suggested, is writing some sort
> of shell
> > script that caches the password. We would turn off caching. This
> > might be an
> > immediate solution that would not be hard to implement, however his
> also
> > might restrict the full set of commands available. Also our
> TortoiseSvn
> > users would not be happy with this. Seems like Tortoise could cache
> the
> > password in its process, but I am pretty sure it does not.
> >
>
> From 1.1 RC1 Tortoise separately encrypts and stores authentication
> data
> itself and it is recommended that the subversion plaintext password
> cache is
> turned off.
>
> > The last solution, being advocated by Security Guy, which
> > requires the least
> > amount of change, is to turn off the cache and make people type a
> lot of
> > passwords. Does anyone have experience with this and how annoying
> > it is? He
> > is judging that we might have maybe 10 commands per developer per
> > day where
> > we have to enter our passwords, since it is only the commands talk
> to the
> > server that need to authenticate. I would guess it is more like
> 20-50.
>
> If your users extensively use Tortoise and the CL client is seldom
> needed
> this shouldn't be a problem. Turn off the cache. Tortoise will store
> the
> passwords encrypted and the few times it is necessary to resort to the
> command line it shouldn't be too bad to have to type the password.
>
> Vince
>
>
Received on Sat Aug 28 02:57:11 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.