[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Question on svn authentication

From: Alec Kloss <alec.kloss_at_oracle.com>
Date: Fri, 10 Oct 2008 14:30:29 -0500

On 2008-10-10 15:03, David Weintraub wrote:
[chop]
> script. Besides, the passwords are moved over the network as plain
> text over svn:// and http:// protocol. (Use svn+ssh:// and https://
> if you need strong security).
[chop]

This isn't always true. If you're using Negotiate auth over
http:// or one of several SASL modules (NTLM, GSSAPI, DIGEST-MD5)
for svn:// the passwords aren't sent in the clear. The Negotiate
crypto is generally considered insufficient so Neon requires you do
use https://, but it's still a lot better than using HTTP Basic
auth.

IMHO, what you (Jianbing) and your users should be more worried
about than the password cache file is the fact regardless of
protocol, the svn server, when using a clear-text login mechanism,
can be used to collect everyone's password.
 
Of course, as has been discussed elsewhere, deploying a SSO
mechanism (other than PKI with client certificates, which is pretty
much universally supported) with Subversion isn't exactly for the
faint of heart. Fortunately it is getting easier all the time.

-- 
Alec.Kloss_at_oracle.com			Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956

  • application/pgp-signature attachment: stored
Received on 2008-10-10 21:30:59 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.