[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: plaintext passwords - my 0.02c

From: Mark Ryan <m.ryan_at_phion.com>
Date: 2006-07-19 13:25:31 CEST

I have been following this thread with some interest - having worked as
config manager/sysadmin for ten years or so, mostly with large financial
organisations and now with a much smaller firm, I can understand
security (and other!) concerns that some companies would have but also
recognise that some firms' security people can go over the top with
these things. Basically, the cost to protect (including potential lost
productivity) must be balanced against the potential loss through
security issues and I guess that both these things are very difficult
thing to quantify.

However, I have an additional question: *Is the problem limited to
environments only using svnserve?
*
For example, if I set up an environment using https, there are no
plaintext password files stored on the server but I still have the issue
of having my own password stored in plaintext in my own home directory
(~/.subversion/auth/svn.simple - or something like that, I think) -
albeit with read permissions only for me. In some ways this is worse -
if I am authenitcating against a central service (eg. LDAP) then I have
to use my regular login password (at least with the svnserve method you
can have a seperate password!)

I accept that this might not appear as big a problem as a whole password
file but if my home directory is mounted across several machines,
there's nothing to stop somebody (who has root access on **any** of
those machines) su-ing to me and taking a peek at my password. In a
networked environment this is not difficult to do (getting root to a
linux desktop is not difficult if you have access to the box on the
desktop!)

Can I keep this password stored in an encrypted format? Does anyone else
see this as an issue??

Cheers

Mark.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Jul 19 13:23:34 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.