From users-return-6778-apmail-subversion-users-archive=subversion.apache.org@subversion.apache.org Mon Jan 03 21:20:28 2011 Return-Path: Delivered-To: apmail-subversion-users-archive@minotaur.apache.org Received: (qmail 46212 invoked from network); 3 Jan 2011 21:20:28 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 3 Jan 2011 21:20:28 -0000 Received: (qmail 95988 invoked by uid 500); 3 Jan 2011 21:20:27 -0000 Delivered-To: apmail-subversion-users-archive@subversion.apache.org Received: (qmail 95905 invoked by uid 500); 3 Jan 2011 21:20:27 -0000 Mailing-List: contact users-help@subversion.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@subversion.apache.org Received: (qmail 95893 invoked by uid 99); 3 Jan 2011 21:20:27 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Jan 2011 21:20:27 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=10.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,RFC_ABUSE_POST,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of andy.levy@gmail.com designates 209.85.214.43 as permitted sender) Received: from [209.85.214.43] (HELO mail-bw0-f43.google.com) (209.85.214.43) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Jan 2011 21:20:22 +0000 Received: by bwz14 with SMTP id 14so15647832bwz.16 for ; Mon, 03 Jan 2011 13:20:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=IsHJl71tseDwpMe4c060VCk7HO/HBfSKub4sssor6R0=; b=kdE6Ygz9exEFDu1CMKtm+Ka2YZwmownzq9TkGP5SC4u2f89pCMGFMID1KtzTcw/C+1 8HGh5R3psXsdj9V+BV0eYfajWTWAy447LIgIDN/Ut+9MNqAJBlTPon30txtlb+uHQ+wS hCxDGflXLj3MIjZ59ZCw3eRG3wd2yRo+uOW+Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=cAfR9WX0MSU3VKpQyLJpYWGbhu57ir6EaatPtTon/8qvTWXVXShQpC9FSe6VWoO0bW 02U+E8W/WKDLkYThcdSutjl5x7WMr8n9TpD0y55MYc1BfZUqDa+ZMAgMMWv6OnXGp9xN W1lIPTRFGCbZrQDItgOoQKuMYLlihsGnSItBY= Received: by 10.204.33.73 with SMTP id g9mr3051771bkd.157.1294089600995; Mon, 03 Jan 2011 13:20:00 -0800 (PST) MIME-Version: 1.0 Received: by 10.204.4.145 with HTTP; Mon, 3 Jan 2011 13:19:20 -0800 (PST) In-Reply-To: <1294088179.7799.9.camel@nimble.325Bayport> References: <1294070985.7799.5.camel@nimble.325Bayport> <1294088179.7799.9.camel@nimble.325Bayport> From: Andy Levy Date: Mon, 3 Jan 2011 16:19:20 -0500 Message-ID: Subject: Re: svnadmin create and not being method agnostic To: Nick Cc: Mark Phippard , users@subversion.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On Mon, Jan 3, 2011 at 15:56, Nick wrote: > On Mon, 2011-01-03 at 11:49 -0500, Mark Phippard wrote: >> > Apologies in advance if this is covered somewhere, but can someone >> > explain (or point me to some references on) why using SVN w/ Apache >> > (HTTPS) is insecure? =A0I've seen some references to plain text >> password >> > storage, but I don't see my password on my server. =A0The passwords in >> my >> > svnusers files look like hashes, which makes sense because I use the >> > "-m" option to htpasswd2 when creating them. =A0What am I missing? >> >> Yes, it is secure. =A0Nico's issue is that the SVN client will allow the >> user to cache their password in plaintext locally in their home >> folder. =A0This is only true for *nix clients though. Windows and OSX >> clients store the password securely. > > I see, thanks. =A0So by "SVN client", are you referring to the command > line client that's provided by SVN? > May I ask why the *nix client stores the credentials in plain text? > Again, I'm open to references which explain it if this has already been > covered. I believe it's because there is no one standard crypto library that can easily be expected to exist on every *nix system. You can use Gnome Keyring & KDE Wallet, but you have to explicitly use that option on the commandline. Windows has the Win32 Crypto API built in, and OS X has Keychain. You know they'll always be there and available, so they're used. IIRC, Windows was the first to get the crypto for stored passwords, then OS X in SVN 1.4.