[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: How to configure Apache2+SVN+PAM

From: Nico Kadel-Garcia <nkadel_at_gmail.com>
Date: Mon, 31 Aug 2009 00:37:25 -0400

On Sat, Aug 29, 2009 at 10:42 PM, Ryan
Schmidt<subversion-2009b_at_ryandesign.com> wrote:
> On Aug 29, 2009, at 09:44, Nico Kadel-Garcia wrote:
>>> I´m looking through the web but it´s hard to find how to configure
>>> PAM+Apache2+Svn.
>> [ Yes, I rant about this. Yes, I am a broken record, but it needs
>> repeating for new users. ]
>> *DON'T*. Seriously. Unless you can assure that your clients are not
>> going to use the default subversion clients, which store passwords in
>> cleartext by default, any such service is a serious security pitfall.
> In a message last week that you did not respond to, I replied [1] to your

Didn't notice your message. Sorry bout that, this isn't a full-time
hobby, and I don't want to achieve 'net.kook' status for my concerns
about this.

> prior rant on this topic a week ago explaining that the Subversion client
> does not store passwords in clear text anymore for most users. I referred
> you to the Subversion 1.6, 1.4, and 1.2 release notes which state that this
> is so. Are you saying this is not correct, or that the implementation is
> flawed? Please elaborate.

The *reference*, UNIX and Linux versions, store passwords in
$HOME/.svn/auth/. You made claims that the "Windows" version of
Subversion does not commit this hideous this security obscenity. Is
this the CollabNet published client? If so, who in the heck uses that?
Most of my acquaintances use TortoiseSVN (which is admittedly better
about this and has been for ages.)

That's good if it's better in Windows. But the Subversion tools
underlying the Gnome and KDE wallets, namely 'svn' itself, still
stores $HOME/.svn/auth keys. The Gnome and KDE wallets don't remove
those, unless the've gotten *really* clever in the last year or two.
They just provide another access method to first store the keys, when
you have your Gnome or KDE session open. Try to run it from a
Makefile, or a cron job or another automated build structure, and you
have a problem.

The wallets are nice, especially for managing svn+ssh keys. Since they
exist, though, why is the code even present for putting keys in
$HOME/.svn/auth? Why isn't auto-store turned off by default, instead
of merely with a warning?

Ryan, these have been issues for years: Stapling wallets on top of
them helps, but the use of password and security wallets are not
enforced in the UNIX/Linux world.


To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-08-31 06:38:29 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.