[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: problems when using subversion over http with large files

From: Nico Kadel-Garcia <nkadel_at_comcast.net>
Date: 2006-07-28 11:12:36 CEST

John Szakmeister wrote:
> ----- Nico Kadel-Garcia <nkadel@comcast.net> wrote:
>> ----- Original Message -----
>> From: "Martin Povolný" <martin.povolny@solnet.cz>
>> To: <users@subversion.tigris.org>
>> Sent: Thursday, July 27, 2006 4:01 AM
>> Subject: problems when using subversion over http with large files
>>
>> Hallo,
>>
>> we are using subversion on a couple of quite large repozitories.
>> In our setup we have apache2 with ldap authentication and
>> dav_svn.
>>
>> Uh-oh. You've walked square into a serious security issue: The SVN
>> clients store user login names and passwords in cleartext: for the
>> commandline, it's typically in
>> $HOME/.subversion/./auth/svn.simple/[hashedname]
>>
>> If you have the Apache LDAP using your user's normal login
>> passwords, which is easy to do, then your user's passwords are
>> stored in cleartext in the home directory of their LDAP client. The
>> graceful way to avoid the problem is to use svn+ssh for write access.
>
> Not in Windows (they're using TortoiseSVN). It's stored encrypted on
> the Windows platform, and in the Keychain on Mac OS X.

Good. Just be aware that you have no way to force them not to use UNIX or
Linux clients, so it's easy to accidentally store such keys in clear-text
with the current release.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Jul 28 11:13:26 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.