Re: Question on svn authentication

The permission (Unix wise) on the "auth" directory where the passwords
are stored is drwx------, so no one else can read or write to that
directory (except root). Thus, although passwords are plaintext, they
aren't visible to the world.

I think encryption if it isn't done right only give you a false sense
of security. CVS's passwords are easily broken with a simple Perl
script. Besides, the passwords are moved over the network as plain
text over svn:// and http:// protocol. (Use svn+ssh:// and https://
if you need strong security).

All encryption does is make it harder for a user to figure out what is
going on without really adding to the security.

--
David Weintraub
qazwart_at_gmail.com
On Thu, Oct 9, 2008 at 2:35 PM,  <jianbing.chen_at_tektronix.com> wrote:
> Hi,
>
> We have a apache + open LDAP setup (subversion 1.5.2) for authentication
> and are on linux. The issue is that by default, the passwd is saved in
> cleartext in the auth file under home dir. Turning off the option for saving
> passwd seems to be too inconvenient (comparing to cvs) to most developers
> since then they will be prompted for passwd for most of the commands.
>
> Do you guys consider this an issue? Is there any plan to at least encrypt
> it?
>
> Thanks for any feedback. We are trying to make it work asap.
>
> Jianbing
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org