[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Apache httpd 2.4 + Subversion 1.9.5 + LDAP combination does not work on CentOS 7.x

From: Nico Kadel-Garcia <nkadel_at_gmail.com>
Date: Wed, 19 Jul 2017 22:08:42 -0400

On Wed, Jul 19, 2017 at 12:24 PM, Stefan Sperling <stsp_at_elego.de> wrote:
> On Tue, Jul 18, 2017 at 08:58:26PM -0400, Nico Kadel-Garcia wrote:
>> The other blocking factor, for me, was the default behavior of the
>> Subversion client of storing the HTTP or HTTPS access passwords in
>> cleartext. It's gotten better orver time, notifying users better of
>> the risks, but the default behavior is still an issue.
>
> Nico, you have been repeating this point over and over again
> like a broken record. I expect every subscriber to this list
> is already very much aware of your opinion on this matter ;-)

Yup. I don't do it every week, or even every month. Frankly, as
Subversion has been falling in popularity, it's become less critical.
This subscriber is new, and having difficulty with Apache
configurations. Since that's so often been so awkward, and this is
*another* reason to migrate away from it, I made sure that *he*
thought about the functional, less complex to integrate, and by
default more secure svn+ssh.

Branko, some of the same risk occurs for SSH users who use passphrase
free SSH keys. The default of "ssh-keygen" to produce such keys, by
default, without a mandatory commandline option saying "yes, yes, I
really wanted no passphrase!" is a similar but not identical issue.

> The prompt (which I added years ago) was an improvement, yes.
> But I don't expect this default behaviour (prompt) to change, ever,
> and I see no reason to keep discussing this point. It's many years
> too late for that now.

Because there are occasionally new users and new admins. Admittedly,
most of the new admins are supporting legacy tools such as Subversion
in a legacy environment as they migrate to various more modern
distributed source control system. But every single new user
encounters this dangerous default unless their local client
environment has been hand-tweaked by someone with more security
conscious policies.

I do appreciate that you updated the default to at least warn about
the risk. See my above note about SSH keys without passphrases. I'm
afraid that even with the warning, it's not always enough, but it at
least allows a typical admin or user installing software to say "I put
up a sign about that pool, it's your own !@#$ fault".

> The default behaviour can be adjusted globally by the system admin with
> a small config file in /etc/subversion. OpenBSD has been installing such
> a file for many years and there has never been any complaint.
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/devel/subversion/files/servers?rev=1.1&content-type=text/x-cvsweb-markup
> I recommend you do the same on systems you maintain, and move on.

"System admins" do not typically have control of user's local systems
to enforce such a change in the clients, and it's pretty useless on
the Subversion server unless they all log in there with shell access
and check out material into local working copies. Admins usually only
have such control over the servers. (Been there, done that, it pays my
salary for the last 29 years.) The success of such a default change in
OpenBSD's package installed client suggests that people would accept
it for other operating systems. Perhaps we could have a very separate
thread bout whether it's time to change that default, finally, for the
next major release? Is thee a 1.10, or a 2.0 in the planning stages?
Received on 2017-07-20 04:08:50 CEST

This is an archived mail posted to the Subversion Users mailing list.