[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnadmin create and not being method agnostic

From: Andy Levy <andy.levy_at_gmail.com>
Date: Mon, 3 Jan 2011 16:19:20 -0500

On Mon, Jan 3, 2011 at 15:56, Nick <nospam_at_codesniffer.com> wrote:
> On Mon, 2011-01-03 at 11:49 -0500, Mark Phippard wrote:
>> > Apologies in advance if this is covered somewhere, but can someone
>> > explain (or point me to some references on) why using SVN w/ Apache
>> > (HTTPS) is insecure?  I've seen some references to plain text
>> password
>> > storage, but I don't see my password on my server.  The passwords in
>> my
>> > svnusers files look like hashes, which makes sense because I use the
>> > "-m" option to htpasswd2 when creating them.  What am I missing?
>>
>> Yes, it is secure.  Nico's issue is that the SVN client will allow the
>> user to cache their password in plaintext locally in their home
>> folder.  This is only true for *nix clients though. Windows and OSX
>> clients store the password securely.
>
> I see, thanks.  So by "SVN client", are you referring to the command
> line client that's provided by SVN?
> May I ask why the *nix client stores the credentials in plain text?
> Again, I'm open to references which explain it if this has already been
> covered.

I believe it's because there is no one standard crypto library that
can easily be expected to exist on every *nix system. You can use
Gnome Keyring & KDE Wallet, but you have to explicitly use that option
on the commandline.

Windows has the Win32 Crypto API built in, and OS X has Keychain. You
know they'll always be there and available, so they're used. IIRC,
Windows was the first to get the crypto for stored passwords, then OS
X in SVN 1.4.
Received on 2011-01-03 22:20:38 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.