[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Question on svn authentication

From: David Weintraub <qazwart_at_gmail.com>
Date: Fri, 10 Oct 2008 15:03:04 -0400

The permission (Unix wise) on the "auth" directory where the passwords
are stored is drwx------, so no one else can read or write to that
directory (except root). Thus, although passwords are plaintext, they
aren't visible to the world.

I think encryption if it isn't done right only give you a false sense
of security. CVS's passwords are easily broken with a simple Perl
script. Besides, the passwords are moved over the network as plain
text over svn:// and http:// protocol. (Use svn+ssh:// and https://
if you need strong security).

All encryption does is make it harder for a user to figure out what is
going on without really adding to the security.

David Weintraub
On Thu, Oct 9, 2008 at 2:35 PM,  <jianbing.chen_at_tektronix.com> wrote:
> Hi,
> We have a apache + open LDAP setup (subversion 1.5.2) for authentication
> and are on linux. The issue is that by default, the passwd is saved in
> cleartext in the auth file under home dir. Turning off the option for saving
> passwd seems to be too inconvenient (comparing to cvs) to most developers
> since then they will be prompted for passwd for most of the commands.
> Do you guys consider this an issue? Is there any plan to at least encrypt
> it?
> Thanks for any feedback. We are trying to make it work asap.
> Jianbing
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-10-10 21:03:28 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.