[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: passwords in subversion

From: Rainer Pröbster <rpr_at_vr-web.de>
Date: 2004-12-11 20:17:22 CET

Am Samstag, 11. Dezember 2004 18:25 schrieben Sie:
> On Dec 11, 2004, at 6:00 AM, Rainer Pröbster wrote:
> >> pat wrote:
> >>> probably missed something). Is it possilbe to use cripted passwords
> >>> ???
> >>> Or is it possivle to use certificates for access to svn server ???
> >>>
> >>> I know the svn server can comunicate through ssh (commonly through
> >>> secure
> >>> layer), but is this possible for WebDAV too ??? Can WebDAV use secure
> >>> communication ???
> >>
> >> The plain text passwords are just for svnserve. If you're using
> >> Apache2
> >> as the server you can use https + any standard auth method so there
> >> are
> >> no plaintext passwords involved.
> >>
> >> Michael Ching
> >> michaelc@wush.net
> >
> > Hello,
> >
> > what if you want to or need to use just svnserve without ssh cause of
> > performance or some administration (in case of no ssh on the client)
> > causes?
> > It's hard to accept that you must have unencrypted password files in
> > this not
> > uncommon case: Communication over apache is much slower and not every
> > client
> > wants to or can use ssh.
>
> You might want to re-read chapter 6. There are 3 independent server
> configurations, and I think you're getting them mixed up:
>
> * apache server (http:// or https://): can use any authentication
> available to apache. Typically, this means a file full of hashed
> passwords, although passwords are essentially passed plaintext over the
> network. But the link can be SSL encrypted, and even server/client
> certificates can be used.
>
> * 'svnserve' server (svn://): has a private user-db file full of
> plaintext passwords.
> CRAM-MD5 authentication -- no plaintext passwords pass over the
> network.
>
> * 'svnserve' launched by ssh (svn+ssh://): ssh does all
> authentication, there are no password files on disk, anywhere. svn
> client asks ssh to launch a private, temporary 'svnserve' process
> running on remotehost. (i.e. 'ssh remotehost svnserve -t'). ssh
> issues a challenge to connect to remotehost, and the launched svnserve
> issues no authentication challenge at all; it assumes the ssh username
> is already authenticated. When the connection finishes, 'svnserve' is
> gone.

Hello Ben,

thank you for quoting the book; no, I have not mixed something, I just wrote
the same like you, just with fewer words. ;-)
Just to precise:
I find it unnecessary problematic that in the not uncommon case that you don't
want or can't use an apache server (your first usecase) and you don't or
can't use ssh (your third usecase) you have to write your passwords plain
into a text file (your second usecase) in subversion.
Nowaday nearly every "normal" (linux) program which is critical for the system
(like every server is) stores it's passwords in an encrypted file,
mostly in a simple linux password file.
I really _hate_ it to edit clear text password files, as everyone who just
passes behind me, can read them!! It's just unprofessional!
If one could use "normal" linux password files with the svnserve server
program (which I prefer much over the apache-plugin btw.) there would also be
big advantages like reusing existing files or admin-programs.

Cheers,
Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Sat Dec 11 20:19:53 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.