[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn caches password in local directory

From: Adrian Hoe <mailbox_at_adrianhoe.com>
Date: 2005-06-09 10:55:14 CEST

On Jun 9, 2005, at 3:06 PM, Olivier Sannier wrote:

> Adrian Hoe wrote:
>
>
>> Hi,
>>
>> Thanks to subversion users community and I have now a working
>> subversion on both svn and svn+ssh.
>>
>> There comes another problem, the security issues. The root of the
>> problem is that my company wants to separate internal staff access
>> from external (interns) access. By creating a login account on the
>> server in order to access via svn+ssh means the interns will have
>> access to ssh and sftp etc to the entire server. By using svn,
>> that limits external access to subversion only.
>>
>> Now, svn stores users information including realms and passwords
>> (unencrypted) in a text file in folder ~/subversion/auth/svn.simple.
>>
>> The user will only need to login once via svn. Subsequent access
>> (e.g. svn co) will not require password because svn reads the
>> password from the text file.
>>
>> Why doesn't subversion encrypt the password on local file(s)?
>>
>> Is there a way to overcome this security issue?
>>
>> Tia.
>>
>> --
>>
>> "If you missed the rising sun and the morning dew, don't miss the
>> beautiful sunset." -- Adrian Hoe inspired by Michal Nowak, June 15
>> 2004
>>
>> http://adrianhoe.com
>>
>>
> AFAIK, it is possible in svn 1.2.0 to indicate that you want the
> password encrypted, at least under Win32.

Where is it in the documentation? I don't have the 1.2.0
documentation. Latest I can find is for Subversion 1.1 built from
revision 1337. Where can I find it?

Deployment is not far away, I think. But this security issue stands
in the way. :(

--
"If you missed the rising sun and the morning dew, don't miss the  
beautiful sunset." -- Adrian Hoe inspired by Michal Nowak, June 15 2004
http://adrianhoe.com
Received on Thu Jun 9 10:57:21 2005

This is an archived mail posted to the Subversion Users mailing list.