Re: Security flaw: subversion stores passwords by default / Proposal

On Thu, Mar 20, 2008 at 10:24:30PM +0100, Hadmut Danisch wrote:
> > If you are using (3), then this discussion doesn't concern you; you can
> > set "store-passwords" to "no" in your config file and sleep easy. Try
> > the 'svn+ssh://' access method, for example.
> >
> Definitely not. svn+ssh requires to have an account on the operating
> system of the server, with ability to login,

Not necessarily.

If you prefix keys with the following in the authorized_keys file,
users cannot login using the key. They can only do svn operations.

command="/usr/bin/svnserve -t",no-agent-forwarding,no-X11-forwarding,no-port-forwarding

Of course, this only works with SSH key authentication, not passwords.

Also, I share your concerns about the default storing of passwords.
I also turn password caching off. I find your proposal of an explicit
command line option interesting.

There's more people who don't like the current behaviour. The subversion
port for OpenBSD, for example, installs a global configuration file that
turns off password caching by default (in this case you can really "trust
your OS to protect your data" as stated in the SVN FAQ :-)

However, I respect decisions this project has made in the past,
and before having taken the time to read up on the old discussions
to evaluate the real reasons behind the current way password caching
is handled, I will not comment any further.

-- 
Stefan Sperling <stsp_at_elego.de>                 Software Developer
elego Software Solutions GmbH                            HRB 77719
Gustav-Meyer-Allee 25, Gebaeude 12        Tel:  +49 30 23 45 86 96 
13355 Berlin                              Fax:  +49 30 23 45 86 95
http://www.elego.de                 Geschaeftsfuehrer: Olaf Wagner