On 2008-10-10 15:03, David Weintraub wrote:
[chop]
> script. Besides, the passwords are moved over the network as plain
> text over svn:// and http:// protocol. (Use svn+ssh:// and https://
> if you need strong security).
[chop]
This isn't always true. If you're using Negotiate auth over
http:// or one of several SASL modules (NTLM, GSSAPI, DIGEST-MD5)
for svn:// the passwords aren't sent in the clear. The Negotiate
crypto is generally considered insufficient so Neon requires you do
use https://, but it's still a lot better than using HTTP Basic
auth.
IMHO, what you (Jianbing) and your users should be more worried
about than the password cache file is the fact regardless of
protocol, the svn server, when using a clear-text login mechanism,
can be used to collect everyone's password.
Of course, as has been discussed elsewhere, deploying a SSO
mechanism (other than PKI with client certificates, which is pretty
much universally supported) with Subversion isn't exactly for the
faint of heart. Fortunately it is getting easier all the time.
--
Alec.Kloss_at_oracle.com Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956
- application/pgp-signature attachment: stored
Received on 2008-10-10 21:30:59 CEST