[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Repository Passwords are in clear text?

From: Ryan Schmidt <subversion-2005_at_ryandesign.com>
Date: 2005-11-11 19:09:28 CET

On Nov 11, 2005, at 17:37, Gale, David wrote:

>> I think he's talking about the repository passwords that are used
>> when
>> accessing the repository using svnserve (in repo/conf/passwd), not
>> the
>> SVN client password cache that the FAQ talks about.
>>> I agree with you that the CVS-like lightweight password
>>> hiding would be nice, but I haven't got around to submitting
>>> a patch...
>> I think it would be better to not store passwords, but only their
>> hashes, just like Apache does. Maybe a htpasswd-like tool should be
>> added to svnserve?
> And a command to the svn client to allow the user to change their
> password, since currently there's no way to change a user's password
> without having the admin do it, which isn't a friendly thing...

Let's not get carried away, please. a) That's not what this thread is
about, b) it's been discussed many times before, and c) it's not
possible to do cleanly because each access method has a different way
of handling passwords—for svn://, it's a password file. For file:///,
it's filesystem permissions. For svn+ssh://, it's a shell account.
For http:// and https://, Apache could be configured in half a dozen
different ways, from htpasswd files to LDAP and PAM authentication.
It's not reasonable for Subversion to need to know how to change
passwords for all these scenarios, and there already exist plenty of
existing ways for htpasswd files to get changed, for LDAP and system
user passwords to get changed, and so on. So it's not unreasonable to
place the burden on the system administrator to install a tool that
lets users of her particular Subversion setup change their passwords.

To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Nov 11 19:11:44 2005

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.