[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnadmin create and not being method agnostic

From: Nick <nospam_at_codesniffer.com>
Date: Mon, 03 Jan 2011 15:56:19 -0500

On Mon, 2011-01-03 at 11:49 -0500, Mark Phippard wrote:
> > Apologies in advance if this is covered somewhere, but can someone
> > explain (or point me to some references on) why using SVN w/ Apache
> > (HTTPS) is insecure? I've seen some references to plain text
> password
> > storage, but I don't see my password on my server. The passwords in
> my
> > svnusers files look like hashes, which makes sense because I use the
> > "-m" option to htpasswd2 when creating them. What am I missing?
>
> Yes, it is secure. Nico's issue is that the SVN client will allow the
> user to cache their password in plaintext locally in their home
> folder. This is only true for *nix clients though. Windows and OSX
> clients store the password securely.

I see, thanks. So by "SVN client", are you referring to the command
line client that's provided by SVN?
May I ask why the *nix client stores the credentials in plain text?
Again, I'm open to references which explain it if this has already been
covered.

Nick
Received on 2011-01-03 21:57:07 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.