[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn authentication

From: Ryan Schmidt <subversion-2006c_at_ryandesign.com>
Date: 2006-08-31 00:04:30 CEST

On Aug 30, 2006, at 23:44, Sheryl wrote:

>> If you are really concerned, the answer is to use the Apache
>> server option
>> or SSH.
>
> I'm using the Apache server with SSL and LDAP, but apparently the svn
> command can't do sessions and still stores the password in plain
> text in
> the .subversion directory on the client. My understanding is that the
> only way around this would be to use svnserve with ssh. And for
> ssh every
> user will have to have a command line login to the box (unless we
> block it
> with firewall rules or something). Or have I missed something?

First of all, now we're talking about something else. First, you were
talking about plain-text passwords stored in the svnserve password
file. This is solved by not using svnserve. Now, you're talking about
plain-text passwords stored in the client auth cache. This is
addressed by the following FAQ entry which explains your options:

http://subversion.tigris.org/faq.html#plaintext-passwords

What that entry does not yet say is that as of Subversion 1.4, on Mac
OS X, passwords are stored in the keychain, and therefore encrypted,
just like they are on Windows as of Subversion 1.2.

Finally, for svn+ssh access, no, every user does not need their own
login to the server; there can be a single login that is shared. See
the last paragraphs of this section of the book:

http://svnbook.red-bean.com/en/1.2/
svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.sshtricks

> Whatever the arguments for caching the password in plain text, and
> I've
> seen a lot of discussion on the subject in the past couple of
> months I've
> been on the list, my employer has a policy against it so we can't
> do it.
> Server or client side.

Great; then don't use plain-text passwords. Use https to serve the
repository, and either use Windows clients with Subversion 1.2.0 or
greater and Mac clients with Subversion 1.4.0 or greater, or if you
need to have clients with other OSes, then turn off password caching
on the client and require people to type the password each time. Or
better yet, use svn+ssh to serve the repository, and use public and
private keys, so that no password ever needs to be stored anywhere.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Aug 31 00:14:18 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.