[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

sasl and encrypted passwords

From: UKASICK, ANDREW (ATTSI) <au3678_at_att.com>
Date: Wed, 29 Oct 2008 12:59:54 -0400

I hope someone out there can assist me. We a large number of svn
repositories hosted on a common RHEL server. They each run with their
own unique Linux account on their own unique port via svnserve and
xinetd. Each repository also has a unique "realm" in svnserve.conf. SVN
accounts are svn only and not OS accounts. We want to keep it that way
because it allows us to easily delegate admin authority for an svn rep
to the team that uses it. Currently each repository reads it's own
passwd file for user authentication. The passwords in that file must be
stored in clear text due to limitations in svnserve. This is NOT a
desirable condition. No one should be able to browse other users
passwords, not even saintly SA's. If you know someone's svn password,
you probably know their password for lots of other apps as well, since
people try to use common passwords so they can remember them.

 

We don't want to use apache, because there are hundreds of reps and they
each need to be on their own preferred svn versions. svnserve makes that
easy, plus it's light and fast, and we can upgrade one rep and not have
to affect any others.

 

Along comes svn 1.5 and cyrus_sasl and I think we may have a solution
for finally storing passwords in a form that no one (not even system
admins) can read. As a bonus, I can even encrypt the client/server data
stream.

 

If I use the following settings in my svn.conf file everything seems to
work wonderfully:

pwcheck_method: auxprop

auxprop_plugin: sasldb

mech_list: DIGEST-MD5

 

The data is encrypted, authentication works great, but guess what. The
db, sasldb, stores all the accounts, realms and passwords in
"cleartext". If you take the sasldb file and just open it as if it were
a text file, there they all are as plain as day. I've gained an
encrypted data stream, but not met my primary objective.

 

Can anyone offer a means to maintain passwords encrypted? I know apache
does, but we use svnserve. Am I missing something? I though sasl was
supposed to make this possible now? I can't find any documentation to
show me how to make that happen. I searched 12,000 emails from this
listserv and didn't find it there either. Any help would be greatly
appreciated.

Andrew Ukasick
Senior Technical Architect
AT&T, Technology Standards and Solutions
722 North Broadway - 15M111A
Milwaukee, Wisconsin 53202-4303
Office: 414-223-5811
Andrew.Ukasick_at_att.com <mailto:Andrew.Ukasick_at_att.com>
http://scm.it.att.com <http://scm.it.att.com/>

RESTRICTED - PROPRIETARY INFORMATION
The Information contained herein is for use only by authorized employees
of AT&T Services, Inc., and authorized Affiliates of AT&T Services,
Inc., and is not for general distribution within or outside the
respective companies.

 
Received on 2008-10-29 18:00:28 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.