You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Marc Schoechlin <ms...@256bit.org> on 2008/06/05 15:35:20 UTC
request : disable storeing of passwords as default
Hi,
we are using subversion for administration purposes and we really
dislike that subversion stores password as default.
Re: request : disable storeing of passwords as default
Posted by Karl Fogel <kf...@red-bean.com>.
Marc Schoechlin <ms...@256bit.org> writes:
> we are using subversion for administration purposes and we really
> dislike that subversion stores password as default.
>
> From my point of view storing of passwords per default is not a good
> idea because:
>
> * unix systems are often shared environments
> (subversion cleartext passwords can be abused on other services
> with the same passwords)
> * new subversion users do not expect that their password is stored
> in readable format in the filesystem
> * system administrators cannot be sure that their users don´t forget
> * to disable password storing by executing:
> ---
> svn info && echo 'store-passwords = no' >> ~/.subversion/config
> ---
> => this is especially important if you use subversion on shared
> accounts like "root" (for system administration purposes)
> * it´s a good idea to make "more secure" settings to be default
>
> Therefore i think it is a good idea to disable password storing as
> default or to prompt the user for storing passwords.
>
> What do you think about this ?
This will be fixed in Subversion 1.6. See
http://svn.collab.net/viewvc/svn?view=rev&revision=31046
-Karl
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: request : disable storeing of passwords as default
Posted by Jens Seidel <je...@users.sourceforge.net>.
On Thu, Jun 05, 2008 at 05:35:20PM +0200, Marc Schoechlin wrote:
> >From my point of view storing of passwords per default is not a good idea because:
>
> * unix systems are often shared environments
> (subversion cleartext passwords can be abused on other services
> with the same passwords)
> * new subversion users do not expect that their password is stored
> in readable format in the filesystem
This is also true for experienced users such as me! I always used
svn+ssh connections (isn't this the best protocol?) but got recently
access to Subversions repository which uses http protocol. I committed
a minor change today and svn didn't asked me for my password. This really
confused me and I immediately deleted ~/.subversion/auth/svn.simple/*
where I found my password in cleartext!
> * system administrators cannot be sure that their users don´t forget
> * to disable password storing by executing:
> ---
> svn info && echo 'store-passwords = no' >> ~/.subversion/config
Thanks for this hint. Still wonder about the "svn info" ...
> ---
> => this is especially important if you use subversion on shared
> accounts like "root" (for system administration purposes)
> * it´s a good idea to make "more secure" settings to be default
>
> Therefore i think it is a good idea to disable password storing as
> default or to prompt the user for storing passwords.
>
> What do you think about this ?
I agree!
Jens
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org