subversion-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache subversion Wiki <>
Subject [Subversion Wiki] Update of "AuthenticationCredentialCacheStorageOverhaul" by CMichaelPilato
Date Thu, 05 Apr 2012 13:53:01 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Subversion Wiki" for change notification.

The "AuthenticationCredentialCacheStorageOverhaul" page has been changed by CMichaelPilato:

Add info about how we interact with third-party keychain-type providers.

  = Authentication Credential Cache Storage Overhaul =
  Subversion 1.7 and older uses, primarily, an on-disk storage solution for cached authentication
credentials.  Bits of the more private information may be outsourced for storage to various
OS keyring provider mechanisms as (see EncryptedPasswordStorage), but certainly the primary
storage container are the on-disk serialized hash files stored in `${HOME}/.subversion/auth/${PROVIDERTYPE}/${REALMSTRING_MD5}`.
 As we look to improve the client authentication subsystem in the future -- especially when
considering major overhauls such as the master passphrase in-house encryption feature (see
MasterPassphrase), one area that stands out as in need of attention is the storage of cached
authentication credentials.
+ == Disk Cache ==
  Here's an attempt at summarizing what type of information is currently stored on disk for
each credential type:
  ||'''Provider Type''' ||'''Subversion Realmstring (Key) Components''' ||'''What Else Gets
Cached''' ||
  ||svn.username ||repos UUID ||username ||
  ||svn.simple ||server root URL (scheme, hostname, port), realm string ||username, password
- ||svn.ssl.client-cert ||             ||             ||
+ ||svn.ssl.client-cert || || ||
  ||svn.ssl.client-passphrase ||certificate file path ||password ||
- ||svn.ssl.client-passphrase (PKCS#11 PINs) ||static string containing PIN token and slot
||             ||
+ ||svn.ssl.client-passphrase (PKCS#11 PINs) ||static string containing PIN token and slot
|| ||
  ||svn.ssl.server ||server root URL (scheme, hostname, port) ||ASCII certificate, bitmask
of acceptable failures ||
  Also interesting is that individual RA implementations do not necessarily agree on the realmstring.
 ra_neon builds realmstrings for itself to use.  ra_serf builds some realmstrings for itself,
but offloads some of that work to Serf (in the most common cases, even).
+ == Outsourced Secure Cache ==
+ Here's a table describing the keys and values (of sorts) used when storing and retrieving
passwords from third-party secure storage providers.
+ ||'''Keyring''' ||'''Keys''' ||'''Values''' ||
+ ||Win32 CryptoAPI ||static description string ||password ||
+ ||MacOS X Keychain ||realmstring, username ||password ||
+ ||Gnome Keyring ||realmstring, username ||password ||
+ ||KDE Wallet ||realmstring, username ||password ||
+ ||GPG Agent ||realmstring ||password ||

View raw message