[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: plaintext passwords - my 0.02c

From: Ryan Schmidt <subversion-2006c_at_ryandesign.com>
Date: 2006-07-19 14:15:51 CEST

On Jul 19, 2006, at 13:25, Mark Ryan wrote:

> However, I have an additional question: *Is the problem limited
> to environments only using svnserve?
> *
> For example, if I set up an environment using https, there are no
> plaintext password files stored on the server but I still have the
> issue of having my own password stored in plaintext in my own home
> directory (~/.subversion/auth/svn.simple - or something like that,
> I think) - albeit with read permissions only for me. In some ways
> this is worse - if I am authenitcating against a central service
> (eg. LDAP) then I have to use my regular login password (at least
> with the svnserve method you can have a seperate password!)
>
> I accept that this might not appear as big a problem as a whole
> password file but if my home directory is mounted across several
> machines, there's nothing to stop somebody (who has root access on
> **any** of those machines) su-ing to me and taking a peek at my
> password. In a networked environment this is not difficult to do
> (getting root to a linux desktop is not difficult if you have
> access to the box on the desktop!)
>
> Can I keep this password stored in an encrypted format? Does anyone
> else see this as an issue??

There are two separate issues being (inadvertently?) mixed and
confused with one another in this thread.

The thread originally started with the issue that svnserve stores
plain-text passwords on the server. This is AFAIK not changing
because the protocol requires this.

Later in the thread someone pointed to the FAQ entry, and someone
else pointed to a patch someone submitted to bring the FAQ entry up-
to-date w.r.t. current versions of Subversion.

http://subversion.tigris.org/faq.html#plaintext-passwords

http://svn.haxx.se/dev/archive-2006-02/1369.shtml

The above two URLs only relate to the client storing passwords in
plain text (regardless of the method the server uses to serve the
repository). On Windows since Subversion 1.2.0 and on Mac OS X since
Subversion 1.4.0 such passwords are (or can be) encrypted using the
relevant OS-level password encryption services.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Jul 19 14:17:17 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.