[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn authentication

From: Ryan Schmidt <subversion-2006c_at_ryandesign.com>
Date: 2006-08-30 22:02:14 CEST

On Aug 30, 2006, at 21:23, Jim Weir wrote:

>>>> Basically, you just add usernames and password for the users
>>>> that need to
>>>> use the product.
>>>
>>> Is this password being sent plain text?
>>
>> Over the wire, some type of CRAM-MD5 is used, so the plain-text
>> password is not sent over the network. It is stored in plain text
>> on the server hard disk, as you see.
>
> Is this a potential security risk? How can I avoid this?

Some will consider this a security risk. To avoid it, don't use
svnserve by itself. Use svn+ssh, or https with one of the several
available Apache password verification systems, such as LDAP. Even
just a boring Apache .htpasswd file is encrypted.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Aug 30 22:56:42 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.