On Tue, 2010-01-19 at 09:54 -0600, Giulio Troccoli wrote:
> >
>
>
> Linedata Services (UK) Ltd
> Registered Office: Bishopsgate Court, 4-12 Norton Folgate, London, E1 6DB
> Registered in England and Wales No 3027851 VAT Reg No 778499447
>
> -----Original Message-----
>
>
> >
> >
> > > From: Mark Phippard [mailto:markphip_at_gmail.com]
> > > Sent: 15 January 2010 16:37
> > > To: Giulio Troccoli
> > > Cc: users_at_subversion.apache.org
> > > Subject: Re: How to use GNOME keyring with Subversion
> > >
> > > On Fri, Jan 15, 2010 at 11:33 AM, Giulio Troccoli
> > > <Giulio.Troccoli_at_uk.linedata.com> wrote:
> > > > Although I have been using Subversion since 1.2, so for
> > > quite a while, I'm very new to GNOME keyring. I would like
> > to set it
> > > up but I don't seem able to do that.
> > > >
> > > > I have, for testing, created a VM with CentOS 5.4. Then I
> > > have built Subversion 1.6.6 from source with the
> > --with-gnome-keyring
> > > option.
> > > >
> > > > The gnome-keyring-daemon is running (does it need any
> > > parameters?) and the keyring manager show an unlocked
> > session called
> > > "session".
> > > >
> > > > I have change the config file to use gnome-keyring and the
> > > servers files with store-passwords = yes and
> > store-plaintext-passwords
> > > = no.
> > > >
> > > > Still, when I update an existing wc I am asked for the
> > > Subversion password every time.
> > > >
> > > > As I said I am totally new to keyring and stuff like that, so if
> > > > anyone has successfully set it up please help me :-)
> > > >
> > > > Of course, if you need more information just ask
> > >
> > > The CollabNet RPM has gnome-keyring support and installs into a
> > > private location (/opt/CollabNet_Subversion) so it will not mess up
> > > your other build or install. I'd suggest you try it to rule out
> > > problems with your build.
> >
> > I'll try that and report back.
>
> Ok, on a brand new CentOS 5.4 VM everything seems to work, although there are still few aspect that I'm not sure about.
>
> The first problem is that the first time (after clearing the stored credentials in .subversion) I'm asked for the Subversion password a pop-up window appears asking me for the password for the keyring. This is correct, but not all my users use an xterm session, some use a simple telnet and this doesn't work of course. Is there a way to have the keyring manager ask for the password without tryint and opening a new window?
You could try seeing if not having DISPLAY defined makes it revert to
using the terminal to prompt for the password. At least for SLES 10
when using the gnome-keyring for osc, I had to modify the library to
prompt on the command-line if DISPLAY wasn't defined. Not sure if
gnome-keyring's handling of HEADLESS machines is better in other, newer
OSes.
>
> Another problem is the keyring. Again, I'm not an expert, but where is the keyring password stored? The one that I am asked in the step described above? I guess it's encrypted, but doesn't it need another key to decrypt it? I'm missing something obviously, becuase this can go on forever but clearly doesn't.
>
The password for unlocking the keyring isn't stored anywhere in a
reversible format. It's like the passwords in /etc/shadow, it's salted
and hashed. The passwords on the actual keyring need protection because
they are in a reversible, encrypted format, so the plain-text can be
sent through svn.
> I know that with keyring manager I can create different keyrings. Is it worth creating a specific one for Subversion? If so, how do I tell Subversion to use that specific keyring?
There's no reason to create a separate one unless you want a different
keyring password for your subversion passwords or you want to be able to
wipe all the subversion passwords at once by deleting the file
~/.gnome2/keyrings/subversion.keyring.
>
> Finally, the keyring daemon. It seems there must be one running per user, rather than per system. Is that correct? Do I have to run export `gnome-keyring-daemon` everytime a user logs in?
>
Later OSes will have pam integration that just logs you into the
gnome-keyring (and starts the daemon). It Cent OS 5.4 doesn't have the
pam module, then yes, you need to start the daemon manually.
> Sorry, for the big OT, and thanks
>
> Giulio
Received on 2010-01-19 17:07:29 CET