subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Sperling <s...@elego.de>
Subject Re: svnadmin create and not being method agnostic
Date Tue, 04 Jan 2011 11:44:25 GMT
On Mon, Jan 03, 2011 at 04:19:20PM -0500, Andy Levy wrote:
> On Mon, Jan 3, 2011 at 15:56, Nick <nospam@codesniffer.com> wrote:
> > On Mon, 2011-01-03 at 11:49 -0500, Mark Phippard wrote:
> >> > Apologies in advance if this is covered somewhere, but can someone
> >> > explain (or point me to some references on) why using SVN w/ Apache
> >> > (HTTPS) is insecure?  I've seen some references to plain text
> >> password
> >> > storage, but I don't see my password on my server.  The passwords in
> >> my
> >> > svnusers files look like hashes, which makes sense because I use the
> >> > "-m" option to htpasswd2 when creating them.  What am I missing?
> >>
> >> Yes, it is secure.  Nico's issue is that the SVN client will allow the
> >> user to cache their password in plaintext locally in their home
> >> folder.  This is only true for *nix clients though. Windows and OSX
> >> clients store the password securely.
> >
> > I see, thanks.  So by "SVN client", are you referring to the command
> > line client that's provided by SVN?
> > May I ask why the *nix client stores the credentials in plain text?
> > Again, I'm open to references which explain it if this has already been
> > covered.
> 
> I believe it's because there is no one standard crypto library that
> can easily  be expected to exist on every *nix system. You can use
> Gnome Keyring & KDE Wallet, but you have to explicitly use that option
> on the commandline.
> 
> Windows has the Win32 Crypto API built in, and OS X has Keychain. You
> know they'll always be there and available, so they're used. IIRC,
> Windows was the first to get the crypto for stored passwords, then OS
> X in SVN 1.4.

There's an FAQ entry on this, too:
http://subversion.apache.org/faq.html#plaintext-passwords

Stefan

Mime
View raw message