[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: how can I change my password by SVN client?

From: Andy Levy <andy.levy_at_gmail.com>
Date: Mon, 31 Aug 2009 06:37:34 -0400

On Sun, Aug 30, 2009 at 23:26, Nico Kadel-Garcia<nkadel_at_gmail.com> wrote:
> 2009/8/30 wenk <gaowenk_at_yahoo.com.cn>:
>> how can I change my password by SVN client??
>> ________________________________
>> 好玩贺卡等你发,邮箱贺卡全新上线!
> If your Subversion server allows password entry, then you should not
> use it for anything you care about. The reference implementation of
> Subversion has the clients store their passwords in clear text in
> $HOME/.svn/auth/. Since this is clear never going to go away, it means
> that the basic Subversion security model is broken.

This has already been pointed out to you as NOT TUE.

On Windows & OS X, Windows Crypto & OS X Keychain respectively are
used to protect your password. On *NIX, If Gnome or KDE is installed,
their "wallets" are used to save the password encrypted. It is
ultimately left to the host system to set ACL policies appropriately
so that other users can't access your sensitive files.

If you really believe this is a security problem, I hope you're on the
OpenSSH mailing list complaining that the use of SSH authorization
keys is insecure because if someone gains access to my ~/.ssh
directory, they can impersonate me.

> If your servers do not insist on using SSL key access or svn+ssh
> access instead, then the server is not secure enough to be trusted and
> you should refuse to use it, simply as a security conscious user.

As noted previously, this is not true. All my clients use Windows, so
the password is encrypted when cached. My server uses HTTP Digest
authentication, so the password isn't in the clear over the wire. And
my repository isn't accessible from outside the corporate firewall.
It's plenty secure.


To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-08-31 12:38:30 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.