[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: plaintext passwords - my 0.02c

From: gmu 2k6 <gmu2006_at_gmail.com>
Date: 2006-07-19 14:55:58 CEST

On 7/19/06, gmu 2k6 <gmu2006@gmail.com> wrote:
> On 7/19/06, Ryan Schmidt <subversion-2006c@ryandesign.com> wrote:
> > On Jul 19, 2006, at 13:25, Mark Ryan wrote:
> >
> > > However, I have an additional question: *Is the problem limited
> > > to environments only using svnserve?
> > > *
> > > For example, if I set up an environment using https, there are no
> > > plaintext password files stored on the server but I still have the
> > > issue of having my own password stored in plaintext in my own home
> > > directory (~/.subversion/auth/svn.simple - or something like that,
> > > I think) - albeit with read permissions only for me. In some ways
> > > this is worse - if I am authenitcating against a central service
> > > (eg. LDAP) then I have to use my regular login password (at least
> > > with the svnserve method you can have a seperate password!)
> > >
> > > I accept that this might not appear as big a problem as a whole
> > > password file but if my home directory is mounted across several
> > > machines, there's nothing to stop somebody (who has root access on
> > > **any** of those machines) su-ing to me and taking a peek at my
> > > password. In a networked environment this is not difficult to do
> > > (getting root to a linux desktop is not difficult if you have
> > > access to the box on the desktop!)
> > >
> > > Can I keep this password stored in an encrypted format? Does anyone
> > > else see this as an issue??
> >
> >
> > There are two separate issues being (inadvertently?) mixed and
> > confused with one another in this thread.
> >
> > The thread originally started with the issue that svnserve stores
> > plain-text passwords on the server. This is AFAIK not changing
> > because the protocol requires this.
> >
> > Later in the thread someone pointed to the FAQ entry, and someone
> > else pointed to a patch someone submitted to bring the FAQ entry up-
> > to-date w.r.t. current versions of Subversion.
> >
> > http://subversion.tigris.org/faq.html#plaintext-passwords
> >
> > http://svn.haxx.se/dev/archive-2006-02/1369.shtml
> >
> > The above two URLs only relate to the client storing passwords in
> > plain text (regardless of the method the server uses to serve the
> > repository). On Windows since Subversion 1.2.0 and on Mac OS X since
> > Subversion 1.4.0 such passwords are (or can be) encrypted using the
> > relevant OS-level password encryption services.
>
> the WIP I've been referring to is for server-side changes to support
> SASL which will allow authentication in the backend against many
> possible plugins like KRB5 or plaintext. This will fix the svnserve
> passwd plaintext issue.

to correct myself, the changes involve client and server-side but are
about SASL still.
http://en.wikipedia.org/wiki/SASL
http://subversion.tigris.org/issues/show_bug.cgi?id=1144
http://svn.haxx.se/dev/archive-2006-07/0300.shtml

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Jul 19 14:57:56 2006

This is an archived mail posted to the Subversion Users mailing list.