[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnadmin create and not being method agnostic

From: Mark Phippard <markphip_at_gmail.com>
Date: Mon, 3 Jan 2011 11:49:12 -0500

On Mon, Jan 3, 2011 at 11:09 AM, Nick <nospam_at_codesniffer.com> wrote:
> On Sun, 2011-01-02 at 22:43 -0500, Nico Kadel-Garcia wrote:
>
>> It's possible to do secure Subversion. Use svn+ssh access, disable or
>> block other services at the firewall, and keep it away from HTTP/HTTPS
>> in order to prevent UNIx or Linux client plaintext password storage.
>
> Apologies in advance if this is covered somewhere, but can someone
> explain (or point me to some references on) why using SVN w/ Apache
> (HTTPS) is insecure?  I've seen some references to plain text password
> storage, but I don't see my password on my server.  The passwords in my
> svnusers files look like hashes, which makes sense because I use the
> "-m" option to htpasswd2 when creating them.  What am I missing?

Yes, it is secure. Nico's issue is that the SVN client will allow the
user to cache their password in plaintext locally in their home
folder. This is only true for *nix clients though. Windows and OSX
clients store the password securely.

-- 
Thanks
Mark Phippard
http://markphip.blogspot.com/
Received on 2011-01-03 17:49:50 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.