[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Security flaw: subversion stores passwords by default

From: Karl Fogel <kfogel_at_red-bean.com>
Date: Thu, 20 Mar 2008 01:45:06 -0400

Hadmut Danisch <hadmut_at_danisch.de> writes:
> Just read that:
>
> " Trust your OS to protect data on disk."
>
> That's nonsense. What do they believe why passwords stored by the
> operating system are usually hashed and salted?
>
> What makes them believe that exactly that OS will be in place all time?
>
> That sort of approach is really silly. If you can't do it in a secure
> way, than don't do it at all (at least not without explicit user
> consent).
>
> The really bad thing about this is that it not just compromises
> subversion, but can compromise the security of the whole LAN.
>
> Absolutely bad design.

There are three choices:

   1) plaintext passwords stored on server and client, so that crypttext
      travels over the wire.

   2) plaintext travels over the wire (crypttext stored on server,
      client always has to prompt -- if client doesn't prompt, then
      "crypttext" just becomes a virtual plaintext)

   3) some form of public key encryption

If you are using (3), then this discussion doesn't concern you; you can
set "store-passwords" to "no" in your config file and sleep easy. Try
the 'svn+ssh://' access method, for example.

If you're not using (3), then there are obvious tradeoffs between (1)
and (2); use whichever way is best for you.

And finally: "Don't complain; patches welcome" :-).

You are complaining about bad design, but not offering any solution. If
we *don't* store the passwords, then people will get prompted all the
time -- we already know people don't like that; in fact, it's a
showstopper for many users. You can see what the tradeoffs are here
(the same as they have been forever). If you have a constructive
suggestion to make, make it.

-Karl

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-03-20 06:45:25 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.