You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Giulio Troccoli <Gi...@uk.linedata.com> on 2010/01/15 16:33:58 UTC
How to use GNOME keyring with Subversion
Although I have been using Subversion since 1.2, so for quite a while, I'm very new to GNOME keyring. I would like to set it up but I don't seem able to do that.
I have, for testing, created a VM with CentOS 5.4. Then I have built Subversion 1.6.6 from source with the --with-gnome-keyring option.
The gnome-keyring-daemon is running (does it need any parameters?) and the keyring manager show an unlocked session called "session".
I have change the config file to use gnome-keyring and the servers files with store-passwords = yes and store-plaintext-passwords = no.
Still, when I update an existing wc I am asked for the Subversion password every time.
As I said I am totally new to keyring and stuff like that, so if anyone has successfully set it up please help me :-)
Of course, if you need more information just ask
Thanks
Giulio
Linedata Services (UK) Ltd
Registered Office: Bishopsgate Court, 4-12 Norton Folgate, London, E1 6DB
Registered in England and Wales No 3027851 VAT Reg No 778499447
Re: How to use GNOME keyring with Subversion
Posted by Mark Phippard <ma...@gmail.com>.
On Tue, Jan 19, 2010 at 10:54 AM, Giulio Troccoli
<Gi...@uk.linedata.com>
> The first problem is that the first time (after clearing the stored credentials in .subversion)
> I'm asked for the Subversion password a pop-up window appears asking me for the
> password for the keyring. This is correct, but not all my users use an xterm session,
> some use a simple telnet and this doesn't work of course. Is there a way to have the
> keyring manager ask for the password without tryint and opening a new window?
When you login to a GNOME desktop, the keyring manager is started
automatically and you get the GUI prompt to unlock it when needed. If
just using an xterm then you need to run export `gnome-keyring-daemon`
when you login so that the keyring daemon is running in the
background. The SVN client will prompt at the command line to unlock
it.
> Another problem is the keyring. Again, I'm not an expert, but where is the keyring
> password stored? The one that I am asked in the step described above? I guess it's
> encrypted, but doesn't it need another key to decrypt it? I'm missing something obviously,
> becuase this can go on forever but clearly doesn't.
When you login via GUI I believe there is a default session keyring
that is encrypted with your main credentials. Other than that, yes
when you create a keyring you must give it a password and it uses that
password to encrypt everything. You have to supply that password to
unlock the keyring. Subversion will prompt at command line to unlock
a locked keyring.
> I know that with keyring manager I can create different keyrings. Is it worth creating a
> specific one for Subversion? If so, how do I tell Subversion to use that specific keyring?
Subversion always uses whatever keyring is set as the default.
> Finally, the keyring daemon. It seems there must be one running per user, rather than per
> system. Is that correct? Do I have to run export `gnome-keyring-daemon` everytime a
> user logs in?
Yes, every user has to run it.
You should also see this blog post and the comments:
http://blogs.open.collab.net/svn/2009/07/subversion-16-security-improvements.html
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
RE: How to use GNOME keyring with Subversion
Posted by Luke Imhoff <lu...@cray.com>.
On Tue, 2010-01-19 at 09:54 -0600, Giulio Troccoli wrote:
> >
>
>
> Linedata Services (UK) Ltd
> Registered Office: Bishopsgate Court, 4-12 Norton Folgate, London, E1 6DB
> Registered in England and Wales No 3027851 VAT Reg No 778499447
>
> -----Original Message-----
>
>
> >
> >
> > > From: Mark Phippard [mailto:markphip@gmail.com]
> > > Sent: 15 January 2010 16:37
> > > To: Giulio Troccoli
> > > Cc: users@subversion.apache.org
> > > Subject: Re: How to use GNOME keyring with Subversion
> > >
> > > On Fri, Jan 15, 2010 at 11:33 AM, Giulio Troccoli
> > > <Gi...@uk.linedata.com> wrote:
> > > > Although I have been using Subversion since 1.2, so for
> > > quite a while, I'm very new to GNOME keyring. I would like
> > to set it
> > > up but I don't seem able to do that.
> > > >
> > > > I have, for testing, created a VM with CentOS 5.4. Then I
> > > have built Subversion 1.6.6 from source with the
> > --with-gnome-keyring
> > > option.
> > > >
> > > > The gnome-keyring-daemon is running (does it need any
> > > parameters?) and the keyring manager show an unlocked
> > session called
> > > "session".
> > > >
> > > > I have change the config file to use gnome-keyring and the
> > > servers files with store-passwords = yes and
> > store-plaintext-passwords
> > > = no.
> > > >
> > > > Still, when I update an existing wc I am asked for the
> > > Subversion password every time.
> > > >
> > > > As I said I am totally new to keyring and stuff like that, so if
> > > > anyone has successfully set it up please help me :-)
> > > >
> > > > Of course, if you need more information just ask
> > >
> > > The CollabNet RPM has gnome-keyring support and installs into a
> > > private location (/opt/CollabNet_Subversion) so it will not mess up
> > > your other build or install. I'd suggest you try it to rule out
> > > problems with your build.
> >
> > I'll try that and report back.
>
> Ok, on a brand new CentOS 5.4 VM everything seems to work, although there are still few aspect that I'm not sure about.
>
> The first problem is that the first time (after clearing the stored credentials in .subversion) I'm asked for the Subversion password a pop-up window appears asking me for the password for the keyring. This is correct, but not all my users use an xterm session, some use a simple telnet and this doesn't work of course. Is there a way to have the keyring manager ask for the password without tryint and opening a new window?
You could try seeing if not having DISPLAY defined makes it revert to
using the terminal to prompt for the password. At least for SLES 10
when using the gnome-keyring for osc, I had to modify the library to
prompt on the command-line if DISPLAY wasn't defined. Not sure if
gnome-keyring's handling of HEADLESS machines is better in other, newer
OSes.
>
> Another problem is the keyring. Again, I'm not an expert, but where is the keyring password stored? The one that I am asked in the step described above? I guess it's encrypted, but doesn't it need another key to decrypt it? I'm missing something obviously, becuase this can go on forever but clearly doesn't.
>
The password for unlocking the keyring isn't stored anywhere in a
reversible format. It's like the passwords in /etc/shadow, it's salted
and hashed. The passwords on the actual keyring need protection because
they are in a reversible, encrypted format, so the plain-text can be
sent through svn.
> I know that with keyring manager I can create different keyrings. Is it worth creating a specific one for Subversion? If so, how do I tell Subversion to use that specific keyring?
There's no reason to create a separate one unless you want a different
keyring password for your subversion passwords or you want to be able to
wipe all the subversion passwords at once by deleting the file
~/.gnome2/keyrings/subversion.keyring.
>
> Finally, the keyring daemon. It seems there must be one running per user, rather than per system. Is that correct? Do I have to run export `gnome-keyring-daemon` everytime a user logs in?
>
Later OSes will have pam integration that just logs you into the
gnome-keyring (and starts the daemon). It Cent OS 5.4 doesn't have the
pam module, then yes, you need to start the daemon manually.
> Sorry, for the big OT, and thanks
>
> Giulio
RE: How to use GNOME keyring with Subversion
Posted by Giulio Troccoli <Gi...@uk.linedata.com>.
>
Linedata Services (UK) Ltd
Registered Office: Bishopsgate Court, 4-12 Norton Folgate, London, E1 6DB
Registered in England and Wales No 3027851 VAT Reg No 778499447
-----Original Message-----
>
>
> > From: Mark Phippard [mailto:markphip@gmail.com]
> > Sent: 15 January 2010 16:37
> > To: Giulio Troccoli
> > Cc: users@subversion.apache.org
> > Subject: Re: How to use GNOME keyring with Subversion
> >
> > On Fri, Jan 15, 2010 at 11:33 AM, Giulio Troccoli
> > <Gi...@uk.linedata.com> wrote:
> > > Although I have been using Subversion since 1.2, so for
> > quite a while, I'm very new to GNOME keyring. I would like
> to set it
> > up but I don't seem able to do that.
> > >
> > > I have, for testing, created a VM with CentOS 5.4. Then I
> > have built Subversion 1.6.6 from source with the
> --with-gnome-keyring
> > option.
> > >
> > > The gnome-keyring-daemon is running (does it need any
> > parameters?) and the keyring manager show an unlocked
> session called
> > "session".
> > >
> > > I have change the config file to use gnome-keyring and the
> > servers files with store-passwords = yes and
> store-plaintext-passwords
> > = no.
> > >
> > > Still, when I update an existing wc I am asked for the
> > Subversion password every time.
> > >
> > > As I said I am totally new to keyring and stuff like that, so if
> > > anyone has successfully set it up please help me :-)
> > >
> > > Of course, if you need more information just ask
> >
> > The CollabNet RPM has gnome-keyring support and installs into a
> > private location (/opt/CollabNet_Subversion) so it will not mess up
> > your other build or install. I'd suggest you try it to rule out
> > problems with your build.
>
> I'll try that and report back.
Ok, on a brand new CentOS 5.4 VM everything seems to work, although there are still few aspect that I'm not sure about.
The first problem is that the first time (after clearing the stored credentials in .subversion) I'm asked for the Subversion password a pop-up window appears asking me for the password for the keyring. This is correct, but not all my users use an xterm session, some use a simple telnet and this doesn't work of course. Is there a way to have the keyring manager ask for the password without tryint and opening a new window?
Another problem is the keyring. Again, I'm not an expert, but where is the keyring password stored? The one that I am asked in the step described above? I guess it's encrypted, but doesn't it need another key to decrypt it? I'm missing something obviously, becuase this can go on forever but clearly doesn't.
I know that with keyring manager I can create different keyrings. Is it worth creating a specific one for Subversion? If so, how do I tell Subversion to use that specific keyring?
Finally, the keyring daemon. It seems there must be one running per user, rather than per system. Is that correct? Do I have to run export `gnome-keyring-daemon` everytime a user logs in?
Sorry, for the big OT, and thanks
Giulio
RE: How to use GNOME keyring with Subversion
Posted by Giulio Troccoli <Gi...@uk.linedata.com>.
>
Linedata Services (UK) Ltd
Registered Office: Bishopsgate Court, 4-12 Norton Folgate, London, E1 6DB
Registered in England and Wales No 3027851 VAT Reg No 778499447
-----Original Message-----
> From: Mark Phippard [mailto:markphip@gmail.com]
> Sent: 15 January 2010 16:37
> To: Giulio Troccoli
> Cc: users@subversion.apache.org
> Subject: Re: How to use GNOME keyring with Subversion
>
> On Fri, Jan 15, 2010 at 11:33 AM, Giulio Troccoli
> <Gi...@uk.linedata.com> wrote:
> > Although I have been using Subversion since 1.2, so for
> quite a while, I'm very new to GNOME keyring. I would like to
> set it up but I don't seem able to do that.
> >
> > I have, for testing, created a VM with CentOS 5.4. Then I
> have built Subversion 1.6.6 from source with the
> --with-gnome-keyring option.
> >
> > The gnome-keyring-daemon is running (does it need any
> parameters?) and the keyring manager show an unlocked session
> called "session".
> >
> > I have change the config file to use gnome-keyring and the
> servers files with store-passwords = yes and
> store-plaintext-passwords = no.
> >
> > Still, when I update an existing wc I am asked for the
> Subversion password every time.
> >
> > As I said I am totally new to keyring and stuff like that, so if
> > anyone has successfully set it up please help me :-)
> >
> > Of course, if you need more information just ask
>
> The CollabNet RPM has gnome-keyring support and installs into
> a private location (/opt/CollabNet_Subversion) so it will not
> mess up your other build or install. I'd suggest you try it
> to rule out problems with your build.
I'll try that and report back.
> I assumed you made sure you were using your build and not the
> version that comes with CentOS.
Of course :-)
RE: How to use GNOME keyring with Subversion
Posted by Giulio Troccoli <Gi...@uk.linedata.com>.
>
Linedata Services (UK) Ltd
Registered Office: Bishopsgate Court, 4-12 Norton Folgate, London, E1 6DB
Registered in England and Wales No 3027851 VAT Reg No 778499447
-----Original Message-----
> From: Mark Phippard [mailto:markphip@gmail.com]
> Sent: 15 January 2010 16:37
> To: Giulio Troccoli
> Cc: users@subversion.apache.org
> Subject: Re: How to use GNOME keyring with Subversion
>
> On Fri, Jan 15, 2010 at 11:33 AM, Giulio Troccoli
> <Gi...@uk.linedata.com> wrote:
> > Although I have been using Subversion since 1.2, so for
> quite a while, I'm very new to GNOME keyring. I would like to
> set it up but I don't seem able to do that.
> >
> > I have, for testing, created a VM with CentOS 5.4. Then I
> have built Subversion 1.6.6 from source with the
> --with-gnome-keyring option.
> >
> > The gnome-keyring-daemon is running (does it need any
> parameters?) and the keyring manager show an unlocked session
> called "session".
> >
> > I have change the config file to use gnome-keyring and the
> servers files with store-passwords = yes and
> store-plaintext-passwords = no.
> >
> > Still, when I update an existing wc I am asked for the
> Subversion password every time.
> >
> > As I said I am totally new to keyring and stuff like that, so if
> > anyone has successfully set it up please help me :-)
> >
> > Of course, if you need more information just ask
>
> The CollabNet RPM has gnome-keyring support and installs into
> a private location (/opt/CollabNet_Subversion) so it will not
> mess up your other build or install. I'd suggest you try it
> to rule out problems with your build.
I'll try that and report back.
> I assumed you made sure you were using your build and not the
> version that comes with CentOS.
Of course :-)
Re: How to use GNOME keyring with Subversion
Posted by Mark Phippard <ma...@gmail.com>.
On Fri, Jan 15, 2010 at 11:33 AM, Giulio Troccoli
<Gi...@uk.linedata.com> wrote:
> Although I have been using Subversion since 1.2, so for quite a while, I'm very new to GNOME keyring. I would like to set it up but I don't seem able to do that.
>
> I have, for testing, created a VM with CentOS 5.4. Then I have built Subversion 1.6.6 from source with the --with-gnome-keyring option.
>
> The gnome-keyring-daemon is running (does it need any parameters?) and the keyring manager show an unlocked session called "session".
>
> I have change the config file to use gnome-keyring and the servers files with store-passwords = yes and store-plaintext-passwords = no.
>
> Still, when I update an existing wc I am asked for the Subversion password every time.
>
> As I said I am totally new to keyring and stuff like that, so if anyone has successfully set it up please help me :-)
>
> Of course, if you need more information just ask
The CollabNet RPM has gnome-keyring support and installs into a
private location (/opt/CollabNet_Subversion) so it will not mess up
your other build or install. I'd suggest you try it to rule out
problems with your build.
I assumed you made sure you were using your build and not the version
that comes with CentOS.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/