You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Wendell Nichols <wc...@shaw.ca> on 2012/09/18 03:16:21 UTC
SVN keeps getting my AD password revoked.
I have many eclipse subversion based projects. I work on them as
needed. the probelm is that if I open a project that I haven't accessed
in some time and the cached svn password is old (and therefore wrong) by
the time I notice it has tried three times (or more) under the covers to
login and AD revokes my userid. If I'm working when the helpdesk is not
manned, I'm screwed till the next day!
I would like to have a setting that restricts auth errors to one attempt
before notifying me. That includes, for instance, opening three old
projects at once.
Does this sound familiar?
Thanks Wendell Nichols
Re: SVN keeps getting my AD password revoked.
Posted by Stefan Sperling <st...@elego.de>.
On Mon, Sep 17, 2012 at 07:16:21PM -0600, Wendell Nichols wrote:
> I have many eclipse subversion based projects. I work on them as
> needed. the probelm is that if I open a project that I haven't
> accessed in some time and the cached svn password is old (and
> therefore wrong) by the time I notice it has tried three times (or
> more) under the covers to login and AD revokes my userid. If I'm
> working when the helpdesk is not manned, I'm screwed till the next
> day!
That's a trade-off between usability and security. It seems they're
being a bit too aggressive with revoking accounts used for SVN access.
If your password isn't ridiculously short, more than 3 attempts
could be allowed before it's likely to be cracked.
> I would like to have a setting that restricts auth errors to one
> attempt before notifying me. That includes, for instance, opening
> three old projects at once.
As a workaround, I'd recommend clearing the password cache before
opening old projects. See here for more information about where
passwords are cached and how to remove them:
http://svnbook.red-bean.com/en/1.7/svn.serverconfig.netmodel.html#svn.serverconfig.netmodel.creds
Subversion 1.8 will ship with an in-memory password cache, based on
the "gpg-agent", which would prevent outdated passwords from being
used by design because the cache is cleared at regular intervals.
In its current implementation this option will only be available on
UNIX-like systems since it uses UNIX domain sockets to talk to the
gpg-agent. Someone would need to add the necessary Windows socket
support to make it run on Windows, too.
RE: SVN keeps getting my AD password revoked.
Posted by Bert Huijben <be...@qqmail.nl>.
> -----Original Message-----
> From: Wendell Nichols [mailto:wcn00@shaw.ca]
> Sent: maandag 17 september 2012 18:16
> To: users@subversion.apache.org
> Subject: SVN keeps getting my AD password revoked.
>
> I have many eclipse subversion based projects. I work on them as
> needed. the probelm is that if I open a project that I haven't accessed
> in some time and the cached svn password is old (and therefore wrong) by
> the time I notice it has tried three times (or more) under the covers to
> login and AD revokes my userid. If I'm working when the helpdesk is not
> manned, I'm screwed till the next day!
> I would like to have a setting that restricts auth errors to one attempt
> before notifying me. That includes, for instance, opening three old
> projects at once.
This is how active directory is setup on your system.
The number of allowed attempts and the block time are completely
configurable by your enterprise admin and what you describe are certainly
not the common defaults. Where I used AD before we had a limit of 5 attempts
which automatically reset to 0 when a successful login was attempted. And it
only blocked for 15 minutes.
(Which would allow about 500 unique password attempts in 24 hours. Low
enough to keep a half year valid good password safe)
Subversion over http/https should usually only attempt once before prompting
so I don't see why you see it blocking your access.
Maybe there are scenarios where Eclipse/Subclipse/Subversion retries for
you, but that is not something we can fix with a single generic solution in
Subversion itself.
In my case my mail client and VPN access were more likely to get me locked
out.
Bert
>
> Does this sound familiar?
> Thanks Wendell Nichols
RE: SVN keeps getting my AD password revoked.
Posted by "REEDICK, ANDREW" <ar...@att.com>.
Check for svn:externals that point to an external repository. That password prompt may be for the external repository, and you're getting locked out (of the external repo) because you are providing the wrong password for the wrong repo.
From: Wendell Nichols [mailto:wcn00@shaw.ca]
Sent: Tuesday, September 18, 2012 9:02 AM
To: Mark Phippard
Cc: Ryan Schmidt; users@subversion.apache.org
Subject: Re: SVN keeps getting my AD password revoked.
I cannot quite figure out how but the Eclipse SVN plugin is locking me out of AD even when it doesn't have invalid credentials. I notice that I am working along doing many compares and merges and all of a sudden it asks me for my AD password. At that point I'm locked out. Eclipse is the only thing that could be responsible because every thing else runs 24/7 and has no problems.
I'll update it to see if it improves...
wcn
On 09/18/2012 06:53 AM, Mark Phippard wrote:
On Tue, Sep 18, 2012 at 8:47 AM, Wendell Nichols <wc...@shaw.ca>> wrote:
Ok, from your description of the way the library behaves there is no retry logic in it for Auth failures, and this must be happening in the subversion connector for Eclipse. I'll go complain to them :)
Thankyou for your analysis and have a good day!
This is why in Subclipse we do not cache your password in any way and leave it up to the Subversion library. The way it should work is that SVN library will read its cache and try to use those credentials. When they do not work it will fire callback API that will cause you to get prompted for new credentials. Ideally (and I am not sure this true) the Subversion library should clear its cached credentials once they are invalid. If it does not do this, and you have many projects in Eclipse, then I could see it still being possible to disable your password as each SVN API call for each of those projects might cause this sequence to happen. That said, the calls are all happening in one thread so I would expect the first one to cause you to have to enter new credentials.
I think the other Eclipse plugin, Subversive, allows you to type your credentials into its UI and save them. In which case, it could be causing this to happen. I think, but am not sure, if you do not enter any credentials in their UI, then they allow the SVN library to manage this which might solve the problem.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
Re: SVN keeps getting my AD password revoked.
Posted by Wendell Nichols <wc...@shaw.ca>.
I cannot quite figure out how but the Eclipse SVN plugin is locking me
out of AD even when it doesn't have invalid credentials. I notice that
I am working along doing many compares and merges and all of a sudden it
asks me for my AD password. At that point I'm locked out. Eclipse is
the only thing that could be responsible because every thing else runs
24/7 and has no problems.
I'll update it to see if it improves...
wcn
On 09/18/2012 06:53 AM, Mark Phippard wrote:
> On Tue, Sep 18, 2012 at 8:47 AM, Wendell Nichols <wcn00@shaw.ca
> <ma...@shaw.ca>> wrote:
>
> Ok, from your description of the way the library behaves there is
> no retry logic in it for Auth failures, and this must be happening
> in the subversion connector for Eclipse. I'll go complain to them :)
> Thankyou for your analysis and have a good day!
>
>
> This is why in Subclipse we do not cache your password in any way and
> leave it up to the Subversion library. The way it should work is that
> SVN library will read its cache and try to use those credentials.
> When they do not work it will fire callback API that will cause you
> to get prompted for new credentials. Ideally (and I am not sure this
> true) the Subversion library should clear its cached credentials once
> they are invalid. If it does not do this, and you have many projects
> in Eclipse, then I could see it still being possible to disable your
> password as each SVN API call for each of those projects might cause
> this sequence to happen. That said, the calls are all happening in
> one thread so I would expect the first one to cause you to have to
> enter new credentials.
>
> I think the other Eclipse plugin, Subversive, allows you to type your
> credentials into its UI and save them. In which case, it could be
> causing this to happen. I think, but am not sure, if you do not enter
> any credentials in their UI, then they allow the SVN library to manage
> this which might solve the problem.
> --
> Thanks
>
> Mark Phippard
> http://markphip.blogspot.com/
Re: SVN keeps getting my AD password revoked.
Posted by Mark Phippard <ma...@gmail.com>.
On Tue, Sep 18, 2012 at 8:47 AM, Wendell Nichols <wc...@shaw.ca> wrote:
> Ok, from your description of the way the library behaves there is no retry
> logic in it for Auth failures, and this must be happening in the subversion
> connector for Eclipse. I'll go complain to them :)
> Thankyou for your analysis and have a good day!
>
>
This is why in Subclipse we do not cache your password in any way and leave
it up to the Subversion library. The way it should work is that SVN
library will read its cache and try to use those credentials. When they do
not work it will fire callback API that will cause you to get prompted for
new credentials. Ideally (and I am not sure this true) the Subversion
library should clear its cached credentials once they are invalid. If it
does not do this, and you have many projects in Eclipse, then I could see
it still being possible to disable your password as each SVN API call for
each of those projects might cause this sequence to happen. That said, the
calls are all happening in one thread so I would expect the first one to
cause you to have to enter new credentials.
I think the other Eclipse plugin, Subversive, allows you to type your
credentials into its UI and save them. In which case, it could be causing
this to happen. I think, but am not sure, if you do not enter any
credentials in their UI, then they allow the SVN library to manage this
which might solve the problem.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
Re: SVN keeps getting my AD password revoked.
Posted by Wendell Nichols <wc...@shaw.ca>.
Ok, from your description of the way the library behaves there is no
retry logic in it for Auth failures, and this must be happening in the
subversion connector for Eclipse. I'll go complain to them :)
Thankyou for your analysis and have a good day!
Wendell Nichols
On 09/18/2012 01:05 AM, Ryan Schmidt wrote:
> On Sep 17, 2012, at 20:16, Wendell Nichols wrote:
>
>> I have many eclipse subversion based projects. I work on them as needed. the probelm is that if I open a project that I haven't accessed in some time and the cached svn password is old (and therefore wrong) by the time I notice it has tried three times (or more) under the covers to login and AD revokes my userid. If I'm working when the helpdesk is not manned, I'm screwed till the next day!
>> I would like to have a setting that restricts auth errors to one attempt before notifying me. That includes, for instance, opening three old projects at once.
>
> I assume "AD" is Active Directory? I don't have any experience with that. I'm sorry to hear that AD does this but AD is not something under the control of the Subversion developers. You may want to submit feedback to the developers of AD that this is not convenient behavior for you. Or perhaps AD can be configured to be more lenient; ask your AD administrators. If not, perhaps you can switch to a more lenient authentication system.
>
> As far as I know, the Subversion library does not preserve state between invocations. That is, if you ask the Subversion library to connect to a server, it will do so, and if the username/password is wrong, then it will return an error about that. If the program asks the library to connect a second time, the library will do exactly that. The Subversion library cannot know whether the server would deliver the same response the second time, so it must send the authentication request to the server again to find out. If you're using three different projects, then the Subversion library cannot know whether they all respond the same way to the same credentials, so it has to ask the server to find out.
>
> It's up to the program that's using the Subversion library (the Subversion command line client for example, or the Subversion Eclipse plugin you're using) to propagate error messages to the user in a meaningful way.
>
> The Subversion command line client and library don't have any inherent concept of "opening [multiple] projects at once"; as far as Subversion is concerned, there are three unrelated connection attempts, which are handled separately.
>
>
>
Re: SVN keeps getting my AD password revoked.
Posted by Ryan Schmidt <su...@ryandesign.com>.
On Sep 17, 2012, at 20:16, Wendell Nichols wrote:
> I have many eclipse subversion based projects. I work on them as needed. the probelm is that if I open a project that I haven't accessed in some time and the cached svn password is old (and therefore wrong) by the time I notice it has tried three times (or more) under the covers to login and AD revokes my userid. If I'm working when the helpdesk is not manned, I'm screwed till the next day!
> I would like to have a setting that restricts auth errors to one attempt before notifying me. That includes, for instance, opening three old projects at once.
I assume "AD" is Active Directory? I don't have any experience with that. I'm sorry to hear that AD does this but AD is not something under the control of the Subversion developers. You may want to submit feedback to the developers of AD that this is not convenient behavior for you. Or perhaps AD can be configured to be more lenient; ask your AD administrators. If not, perhaps you can switch to a more lenient authentication system.
As far as I know, the Subversion library does not preserve state between invocations. That is, if you ask the Subversion library to connect to a server, it will do so, and if the username/password is wrong, then it will return an error about that. If the program asks the library to connect a second time, the library will do exactly that. The Subversion library cannot know whether the server would deliver the same response the second time, so it must send the authentication request to the server again to find out. If you're using three different projects, then the Subversion library cannot know whether they all respond the same way to the same credentials, so it has to ask the server to find out.
It's up to the program that's using the Subversion library (the Subversion command line client for example, or the Subversion Eclipse plugin you're using) to propagate error messages to the user in a meaningful way.
The Subversion command line client and library don't have any inherent concept of "opening [multiple] projects at once"; as far as Subversion is concerned, there are three unrelated connection attempts, which are handled separately.