[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Cached client credentials not encrypted on Win2K with Subversion 1.2.3.

From: Barnett, Chris <Chris.Barnett_at_Yum.com>
Date: 2005-12-15 00:58:39 CET

Hi Joel,
 
The book is correct - the file is encrypted. But if you are the owner of
the file, and hence have the decryption key, windows will automatically
decrypt it for you regardless of which program (eg. notepad, subversion)
is opening it. This is why you appear to see a non-encrypted file.
 
As the book says, the encryption is provided by Windows. It is not
provided by Subversion.
 
You might be able to see the encrypted version if you try opening the
file with a different user account, but I've never tried it.
 
Regards,
 
Chris

________________________________

From: Joel Kuehner [mailto:jkuehne1@irf.com]
Sent: Thursday, 15 December 2005 10:38 AM
To: FG; users@subversion.tigris.org
Subject: RE: Cached client credentials not encrypted on Win2K with
Subversion 1.2.3.

OK, but these threads seem to be discussing the plain-text nature of the
stored password. I am fine with that.

I am referring to the apparent discrepancy between the behavior I see
(file not encrypted) and the following paragraph from the Client
Credentials Caching section of the Subversion Book (1.2):

"On Windows 2000 and later, the Subversion client uses standard Windows
cryptography services to encrypt the password on disk. Because the
encryption key is managed by Windows and is tied to the user's own login
credentials, only the user can decrypt the cached password. (Note: if
the the user's Windows account password is changed, all of the cached
passwords become undecipherable. The Subversion client will behave as if
they don't exist, prompting for passwords when required.)"

My Subversion installation does not seem to comply with this paragraph.

- Joel

-----Original Message-----
From: FG [mailto:fgatwork@verizon.net]
Sent: Wed 2005-12-14 18:04
To: Joel Kuehner; users@subversion.tigris.org
Subject: Re: Cached client credentials not encrypted on Win2K with
Subversion 1.2.3.

Joel Kuehner wrote:
> Hi,
>
> In the past couple of weeks I've installed Subversion 1.2.3. Prior to
> this we were using CVS. I'm a newbie as far as Subversion is
> concerned, so maybe I misunderstand what is going on.
>
> I am running Windows 2000 SP4. Our repository is served by Apache
> running on a WinNT 4 box.
>
> I noticed today that my authentication file in
> |%APPDATA%/Subversion/auth/svn.simple does not seem to be encrypted.
> If I look at the file properties the "Encrypt contents to secure data"
> box is not checked.
>
> Is this normal?
> |
> --
> Joel Kuehner - Senior Development Engineer
> International Rectifier (Automotive Systems)
> 7020 Mumford Rd, Halifax, NS, Canada, B3L 4S9
> Ph: 902-431-1644 x261
> Fax: 902-431-1645
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org For
> additional commands, e-mail: users-help@subversion.tigris.org
Joel,

This is very normal, and has been for quite some time. There have been
several other threads in the list discussing this. One of the more
recent is http://svn.haxx.se/users/archive-2005-11/0594.shtml.

Also - check out this FAQ -
http://subversion.tigris.org/faq.html#plaintext-passwords

Regards,
Frank

This communication is confidential and may be legally privileged. If you are not the intended recipient, (i) please do not read or disclose to others, (ii) please notify the sender by reply mail, and (iii) please delete this communication from your system. Failure to follow this process may be unlawful. Thank you for your cooperation.
Received on Thu Dec 15 01:02:12 2005

This is an archived mail posted to the Subversion Users mailing list.