Re: svn authentication

From: Ryan Schmidt <subversion-2006c_at_ryandesign.com>
Date: 2006-08-30 22:02:14 CEST

On Aug 30, 2006, at 21:23, Jim Weir wrote:

>>>> Basically, you just add usernames and password for the users
>>>> that need to
>>>> use the product.
>>>
>>> Is this password being sent plain text?
>>
>> Over the wire, some type of CRAM-MD5 is used, so the plain-text
>> password is not sent over the network. It is stored in plain text
>> on the server hard disk, as you see.
>
> Is this a potential security risk? How can I avoid this?

Some will consider this a security risk. To avoid it, don't use
svnserve by itself. Use svn+ssh, or https with one of the several
available Apache password verification systems, such as LDAP. Even
just a boring Apache .htpasswd file is encrypted.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Aug 30 22:56:42 2006

This message: [ Message body ]
Next message: Tuncer Ayaz: "Re: [LINUX] How to launch svnserve process with another user than 'root' ?"
Previous message: Johnathan Gifford: "Re: Making a copy that follows?"
In reply to: Jim Weir: "Re: svn authentication"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]