[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: How to configure Apache2+SVN+PAM

From: Jason Malinowski <jason_at_jason-m.com>
Date: Sun, 30 Aug 2009 22:31:01 -0700

> Most of my acquaintances use TortoiseSVN (which is admittedly better
> about this and has been for ages.)

TortoiseSVN uses the same Crypto APIs as the command line packages. Thus, passwords aren't stored in plaintext.

Jason Malinowski

> -----Original Message-----
> From: Nico Kadel-Garcia [mailto:nkadel_at_gmail.com]
> Sent: Sunday, August 30, 2009 9:37 PM
> To: Ryan Schmidt
> Cc: Alexandre Moraes; Subversion Users
> Subject: Re: How to configure Apache2+SVN+PAM
> On Sat, Aug 29, 2009 at 10:42 PM, Ryan
> Schmidt<subversion-2009b_at_ryandesign.com> wrote:
> >
> > On Aug 29, 2009, at 09:44, Nico Kadel-Garcia wrote:
> >
> >>> I´m looking through the web but it´s hard to find how to configure
> >>> PAM+Apache2+Svn.
> >>
> >> [ Yes, I rant about this. Yes, I am a broken record, but it needs
> >> repeating for new users. ]
> >>
> >> *DON'T*. Seriously. Unless you can assure that your clients are not
> >> going to use the default subversion clients, which store passwords in
> >> cleartext by default, any such service is a serious security pitfall.
> >
> > In a message last week that you did not respond to, I replied [1] to your
> Didn't notice your message. Sorry bout that, this isn't a full-time
> hobby, and I don't want to achieve 'net.kook' status for my concerns
> about this.
> > prior rant on this topic a week ago explaining that the Subversion client
> > does not store passwords in clear text anymore for most users. I referred
> > you to the Subversion 1.6, 1.4, and 1.2 release notes which state that this
> > is so. Are you saying this is not correct, or that the implementation is
> > flawed? Please elaborate.
> The *reference*, UNIX and Linux versions, store passwords in
> $HOME/.svn/auth/. You made claims that the "Windows" version of
> Subversion does not commit this hideous this security obscenity. Is
> this the CollabNet published client? If so, who in the heck uses that?
> Most of my acquaintances use TortoiseSVN (which is admittedly better
> about this and has been for ages.)
> That's good if it's better in Windows. But the Subversion tools
> underlying the Gnome and KDE wallets, namely 'svn' itself, still
> stores $HOME/.svn/auth keys. The Gnome and KDE wallets don't remove
> those, unless the've gotten *really* clever in the last year or two.
> They just provide another access method to first store the keys, when
> you have your Gnome or KDE session open. Try to run it from a
> Makefile, or a cron job or another automated build structure, and you
> have a problem.
> The wallets are nice, especially for managing svn+ssh keys. Since they
> exist, though, why is the code even present for putting keys in
> $HOME/.svn/auth? Why isn't auto-store turned off by default, instead
> of merely with a warning?
> Ryan, these have been issues for years: Stapling wallets on top of
> them helps, but the use of password and security wallets are not
> enforced in the UNIX/Linux world.
> ------------------------------------------------------
> http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=238
> 8739
> To unsubscribe from this discussion, e-mail: [users-
> unsubscribe_at_subversion.tigris.org].


To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-08-31 07:31:49 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.