storing password on a server

[HONTVÁRI Levente <ho...@flyordie.com>]

I understand that 1.14 disables storing a password at compile time.

How am I supposed to run a subversion command in non-interactive scripts 
like a cron job on a headless server?

Of course I can supply the password on the command line but that is 
definitely a step backwards compared to the old way, which stored the 
password in a file which was only readable by the current user.

Re: storing password on a server

[Nathan Hartman <ha...@gmail.com>]

On Wed, Feb 10, 2021 at 7:31 PM HONTVÁRI Levente <ho...@flyordie.com> wrote:
>
> I understand that 1.14 disables storing a password at compile time.
>
> How am I supposed to run a subversion command in non-interactive scripts
> like a cron job on a headless server?
>
> Of course I can supply the password on the command line but that is
> definitely a step backwards compared to the old way, which stored the
> password in a file which was only readable by the current user.

Yes, since 1.12 (see [1]), or more specifically, there is a
compile-time setting that prevents Subversion from writing passwords
to disk in plaintext. However, if the passwords are already present on
disk, Subversion will use them, regardless of this compile-time
setting.

There are various ways to solve your issue:

As a workaround, you could save the password to disk yourself, and
then Subversion will use it. To do this, you could use an older
version of Subversion, or any reasonably recent version that has been
built with the feature enabled, or, if that's not a viable option:

Another way to get the password onto disk is discussed toward the end
of the following email thread on our dev@ list, see [2] below. In that
email thread, there is a (somewhat of a prototype) shell script (for
zsh) to save passwords. If you want to use it, please note that there
were a few corrections, so be sure to use the latest version. Make
sure you understand what it does before you run it; there is an
explanation in that email thread of what the script does. (If you feel
like porting it to plain portable sh or have any other improvements
for it, feel free to respond to that email thread, or start a new
one...)

Besides getting the password onto disk, there are other possibilities,
such as finding a way to inject a secret into a script; this is
mentioned in [3].

This issue is frustrating and we do get questions about it; what
prevents us from returning to the old way is that there's another side
of the community that will come at us with pitchforks and torches if
we store passwords to disk in plaintext, so the current situation is a
compromise. Feel free to email dev@ with any suggestions you might
have on how this could be improved.

References:

[1] https://subversion.apache.org/docs/release-notes/1.12.html#client-server-improvements

[2] https://lists.apache.org/thread.html/r0eef40236aeddd1db18bc7882454dd3b18bcd721d8fd8c9e21aca52a%40%3Cdev.subversion.apache.org%3E

[3] https://lists.apache.org/thread.html/r223e0833b1c75005fdb01a9c117039765addb32232e5327ea3a5b5dc%40%3Cusers.subversion.apache.org%3E

Nathan

Re: storing password on a server

[Nico Kadel-Garcia <nk...@gmail.com>]

On Thu, Feb 11, 2021 at 7:55 AM Andreas Stieger <An...@gmx.de> wrote:
>
> Hi,
>
> > I understand that 1.14 disables storing a password at compile time.
> >
> > How am I supposed to run a subversion command in non-interactive scripts
> > like a cron job on a headless server?
>
> You can use an unattended configuration of Gnome Keyring, Kwallet, GPG-Agent. Or client certificates for which passphrase caching is allowed.

Or "ssh-agent" with svn+ssh.

Re: storing password on a server

[Andreas Stieger <An...@gmx.de>]

Hi,

> I understand that 1.14 disables storing a password at compile time.
>
> How am I supposed to run a subversion command in non-interactive scripts
> like a cron job on a headless server?

You can use an unattended configuration of Gnome Keyring, Kwallet, GPG-Agent. Or client certificates for which passphrase caching is allowed.

Andreas