On 7/19/06, Ryan Schmidt <subversion-2006c@ryandesign.com> wrote:
> On Jul 19, 2006, at 13:25, Mark Ryan wrote:
>
> > However, I have an additional question: *Is the problem limited
> > to environments only using svnserve?
> > *
> > For example, if I set up an environment using https, there are no
> > plaintext password files stored on the server but I still have the
> > issue of having my own password stored in plaintext in my own home
> > directory (~/.subversion/auth/svn.simple - or something like that,
> > I think) - albeit with read permissions only for me. In some ways
> > this is worse - if I am authenitcating against a central service
> > (eg. LDAP) then I have to use my regular login password (at least
> > with the svnserve method you can have a seperate password!)
> >
> > I accept that this might not appear as big a problem as a whole
> > password file but if my home directory is mounted across several
> > machines, there's nothing to stop somebody (who has root access on
> > **any** of those machines) su-ing to me and taking a peek at my
> > password. In a networked environment this is not difficult to do
> > (getting root to a linux desktop is not difficult if you have
> > access to the box on the desktop!)
> >
> > Can I keep this password stored in an encrypted format? Does anyone
> > else see this as an issue??
>
>
> There are two separate issues being (inadvertently?) mixed and
> confused with one another in this thread.
>
> The thread originally started with the issue that svnserve stores
> plain-text passwords on the server. This is AFAIK not changing
> because the protocol requires this.
>
> Later in the thread someone pointed to the FAQ entry, and someone
> else pointed to a patch someone submitted to bring the FAQ entry up-
> to-date w.r.t. current versions of Subversion.
>
> http://subversion.tigris.org/faq.html#plaintext-passwords
>
> http://svn.haxx.se/dev/archive-2006-02/1369.shtml
>
> The above two URLs only relate to the client storing passwords in
> plain text (regardless of the method the server uses to serve the
> repository). On Windows since Subversion 1.2.0 and on Mac OS X since
> Subversion 1.4.0 such passwords are (or can be) encrypted using the
> relevant OS-level password encryption services.
the WIP I've been referring to is for server-side changes to support
SASL which will allow authentication in the backend against many
possible plugins like KRB5 or plaintext. This will fix the svnserve
passwd plaintext issue.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Jul 19 14:55:46 2006