Re: svn authentication

[Sheryl <gu...@his.com>]

Ryan Schmidt wrote:

> First of all, now we're talking about something else. First, you were
> talking about plain-text passwords stored in the svnserve password
> file. This is solved by not using svnserve. Now, you're talking about
> plain-text passwords stored in the client auth cache. This is
> addressed by the following FAQ entry which explains your options:

Actually, I wasn't talking about *anything* first because the posting
your replied to was my first one in the thread, maybe the first one on the
list.  Thanks for the, um, warm welcome.

> http://subversion.tigris.org/faq.html#plaintext-passwords

Which I'm quite familiar with and does little but blow off concerns about
plaintext passwords.  My personal level of comfort and what CVS did are
irrelevant.  I have to abide by company policy.

> What that entry does not yet say is that as of Subversion 1.4, on Mac
> OS X, passwords are stored in the keychain, and therefore encrypted,
> just like they are on Windows as of Subversion 1.2.

Which would be just peachy if we used Windows or Mac OS X. :-)

> or if you
> need to have clients with other OSes, then turn off password caching
> on the client and require people to type the password each time.

Which we're trying to do, but is a drag and unenforceable.

> Or
> better yet, use svn+ssh to serve the repository, and use public and
> private keys, so that no password ever needs to be stored anywhere.

I was considering doing just that when I saw the posting about passwords
in svnserve.conf and asked the question that got my head bitten off.  For
a moment I wondered if I had missed something and would put in the effort
and just move my password problem from the clients to the servers.

But to me, the more important question is -- how portable is the Mac OS
keychain solution?  Any chance that's going to find its way into the Linux
code?  The suggestion in the FAQ that someone spend time porting the
half-baked rot13 obsfuscation to subversion is pretty useless, but if
there's not some architectural impediment to porting the Mac OS keychain
solution to Linux that could be worth spending some time on.

Sheryl


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: svn authentication

[Sheryl <gu...@his.com>]

Ryan Schmidt wrote:

> On Sep 1, 2006, at 23:10, Sheryl wrote:
>
>> [snip]  Thanks for the, um, warm welcome.
>
> I beg your pardon; I'm so very sorry. I lost track of who the
> original poster was.

Not a problem.  I realized what happened and was more playful than peeved.

>>  [snip] but if
>> there's not some architectural impediment to porting the Mac OS
>> keychain
>> solution to Linux that could be worth spending some time on.
>
> Does Linux have an OS-level feature comparable to the Mac OS X
> Keychain? If so, then presumably Subversion could use that on Linux.
> I don't expect that the Mac OS X Keychain code could be reused,
> though, since that would be specific to the Mac OS X Keychain APIs.

Well, that's what I don't know.  I haven't used MacOS and I'm relatively
new to Linux (but have been a developer or admin on various flavors of
UNIX for 16-18 years).  I read a few things on the Mac sites about this,
and the API supposedly is built on top of an open standard.  Also, Apple
has released source code.  So in theory maybe the API could be ported to
Linux if it has been written intelligently.

This is not total "blue sky" on my part, I've had some experience porting
software.  It's just that I'm starting with no background in this
particular area and so while I would be willing to spend some time trying
to get this or another approach working I'm not really sure of the best
approach or how to go about it as yet.

Even having some kind of "wrapper" program for the svn command so that it
runs more like an ftp session instead of disjoint commands would be an
improvement for CLI users.  I've considered writing something like that in
expect, but haven't had time to work on it yet.

Sheryl

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: svn authentication

[Ryan Schmidt <su...@ryandesign.com>]

On Sep 1, 2006, at 23:10, Sheryl wrote:

>> First of all, now we're talking about something else. First, you were
>> talking about plain-text passwords stored in the svnserve password
>> file. This is solved by not using svnserve. Now, you're talking about
>> plain-text passwords stored in the client auth cache. This is
>> addressed by the following FAQ entry which explains your options:
>
> Actually, I wasn't talking about *anything* first because the posting
> your replied to was my first one in the thread, maybe the first one  
> on the
> list.  Thanks for the, um, warm welcome.

I beg your pardon; I'm so very sorry. I lost track of who the  
original poster was.


>> Or
>> better yet, use svn+ssh to serve the repository, and use public and
>> private keys, so that no password ever needs to be stored anywhere.
>
> I was considering doing just that when I saw the posting about  
> passwords
> in svnserve.conf and asked the question that got my head bitten  
> off.  For
> a moment I wondered if I had missed something and would put in the  
> effort
> and just move my password problem from the clients to the servers.
>
> But to me, the more important question is -- how portable is the  
> Mac OS
> keychain solution?  Any chance that's going to find its way into  
> the Linux
> code?  The suggestion in the FAQ that someone spend time porting the
> half-baked rot13 obsfuscation to subversion is pretty useless, but if
> there's not some architectural impediment to porting the Mac OS  
> keychain
> solution to Linux that could be worth spending some time on.

Does Linux have an OS-level feature comparable to the Mac OS X  
Keychain? If so, then presumably Subversion could use that on Linux.  
I don't expect that the Mac OS X Keychain code could be reused,  
though, since that would be specific to the Mac OS X Keychain APIs.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org