[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn Farm

From: Nico Kadel-Garcia <nkadel_at_gmail.com>
Date: Sat, 9 Oct 2010 13:51:18 -0400

On Sat, Oct 9, 2010 at 11:06 AM, Les Mikesell <lesmikesell_at_gmail.com> wrote:
> On 10/9/10 8:39 AM, Nico Kadel-Garcia wrote:
>>
>> Look, Subversion inherited its practice of storing password in
>> cleartext from its ancestor, CVS. It's been an uphill battle ever
>> since to wallpaper over the practice: there are enough layers of
>> wallpaper, finally, that it's almost thick enough to be a wall. It's
>> fixed for TortoieSVN, and svn+ssh using SSH keys can work well.
>
> If you are going to rant, you should also point out that ssh keys without a
> passphrase and agent to manage it are not really any different than a
> file-stored password.  If you can copy the private side of the identity key,
> you can get access.

Yeah, both Subversion and SSH share the flaw of *ALLOWING* such
unprotected keys to be stored locally, with no special command line
arguments or special settings, and impossible to compile out of the
clients with the current source trees. I've raised concerns about that
since way, way back with ssh-1.21 and the early releases of ssh-2.0.
This is why, ideally, the SSH keys for Subversion should be distinct
from normal user login keys, but that can be very difficult to enforce
as well.
Received on 2010-10-09 19:51:57 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.