[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn authentication

From: Sheryl <gubydala_at_his.com>
Date: 2006-09-01 23:10:25 CEST

Ryan Schmidt wrote:

> First of all, now we're talking about something else. First, you were
> talking about plain-text passwords stored in the svnserve password
> file. This is solved by not using svnserve. Now, you're talking about
> plain-text passwords stored in the client auth cache. This is
> addressed by the following FAQ entry which explains your options:

Actually, I wasn't talking about *anything* first because the posting
your replied to was my first one in the thread, maybe the first one on the
list. Thanks for the, um, warm welcome.

> http://subversion.tigris.org/faq.html#plaintext-passwords

Which I'm quite familiar with and does little but blow off concerns about
plaintext passwords. My personal level of comfort and what CVS did are
irrelevant. I have to abide by company policy.

> What that entry does not yet say is that as of Subversion 1.4, on Mac
> OS X, passwords are stored in the keychain, and therefore encrypted,
> just like they are on Windows as of Subversion 1.2.

Which would be just peachy if we used Windows or Mac OS X. :-)

> or if you
> need to have clients with other OSes, then turn off password caching
> on the client and require people to type the password each time.

Which we're trying to do, but is a drag and unenforceable.

> Or
> better yet, use svn+ssh to serve the repository, and use public and
> private keys, so that no password ever needs to be stored anywhere.

I was considering doing just that when I saw the posting about passwords
in svnserve.conf and asked the question that got my head bitten off. For
a moment I wondered if I had missed something and would put in the effort
and just move my password problem from the clients to the servers.

But to me, the more important question is -- how portable is the Mac OS
keychain solution? Any chance that's going to find its way into the Linux
code? The suggestion in the FAQ that someone spend time porting the
half-baked rot13 obsfuscation to subversion is pretty useless, but if
there's not some architectural impediment to porting the Mac OS keychain
solution to Linux that could be worth spending some time on.

Sheryl

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Sep 1 23:11:40 2006

This is an archived mail posted to the Subversion Users mailing list.