Hadmut Danisch wrote:
> Hi,
>
> I just installed a subversion repository together with webdav and an
> apache server, protected
> by password authentication over LDAP and HTTPS.
>
> Accessing this repository over HTTPS worked perfectly except for a
> severe security
> problem:
>
> Unless turned off in the users (or common) configuration file,
> subversion stores the password
> in plain textfiles. Since the web access password is the same as the
> common account password
> used for several services, unexperienced users compromise their own
> passwords without even
> realizing it.
>
> Although not a bug in the common sense, this is a severe security flaw
> by design.
>
> I would strongly recommend to modify this behavior and to never ever let
> subversion store
> any password by itself. If the password should be stored locally, then
> the user should do
> it himself or at least give an option to do so.
>
> And, btw., would be nice to support the https://user@server/... syntax
> or a way to take the
> user from environment or configuration.
See
http://subversion.tigris.org/faq.html#plaintext-passwords
http://svnbook.red-bean.com/nightly/en/svn.serverconfig.netmodel.html#svn.serverconfig.netmodel.credcache
Regards,
Blair
--
Blair Zajac, Ph.D.
<blair_at_orcaware.com>
http://www.orcaware.com/svn/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-03-20 00:35:00 CET