You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by kr...@arcor.de on 2004/09/23 12:13:32 UTC
SVN Password stored in Plaintext!!!!
One thing I noted while browsing through my subversion profile is that the passwords for my subversion access are stored in a file in plaintext! This is something that I dfind disturbing. How much trouble would it be to encrypt them and then have the server accept an encrypted version of the password? It would be really cool if companies could install their pgp key on their subversion server in order to do the encryption.
-- Robert
P.S. Does anyone know where I can find a full livrary and version dependency list for the Linux SVN client ?
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: SVN Password stored in Plaintext!!!!
Posted by Mark Benedetto King <mb...@lowlatency.com>.
On Thu, Sep 23, 2004 at 10:52:10PM +0200, Robert Simmons wrote:
> Well, I don?t know about this agent stuff. However, if you want to preserve
> logins so the user doesn?t have to login again, why not do something like a
> certificate. *shrug* I just know that SVN is not the only program that has
> this problem. Unix has been dealing with such a thing for ssh for 20 years
> at least and have solved it somehow.
>
"Somehow" in this case is "ssh-agent". Or passphrase-less private keys
or certificates, which are essentially unencrypted passwords dipped in
snake oil.
--ben
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: SVN Password stored in Plaintext!!!!
Posted by Jani Averbach <ja...@jaa.iki.fi>.
On 2004-09-23 19:32+0200, Olaf Hering wrote:
>
> so, someone already did the work? Good.
Unfortunately no. This idea popped up, some ideas were exchanged, and
after that - the silence.
I pointed the thread so that people can read what have talked about
the topic in the past.
BR, Jani
--
Jani Averbach
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
RE: SVN Password stored in Plaintext!!!!
Posted by Greg Hudson <gh...@MIT.EDU>.
On Thu, 2004-09-23 at 16:52, Robert Simmons wrote:
> Well, I don’t know about this agent stuff. However, if you want to preserve
> logins so the user doesn’t have to login again, why not do something like a
> certificate.
http://svnbook.red-bean.com/svnbook-1.0/svn-book.html#svn-ch-6-sect-4.3.2
Or did you mean something else?
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: SVN Password stored in Plaintext!!!!
Posted by kf...@collab.net.
"Brian W. Fitzpatrick" <fi...@red-bean.com> writes:
> Subversion is a volunteer effort and open source software. You're
> welcome to work on this feature (or pay someone to write it for you).
> As Larry Wall once said, "It's not us versus you... it's just... *us*".
> Don't assume malicious intent on our behalf just because our priorities
> and yours don't mesh.
FWIW, I didn't read any implication of malicious intent in his post.
He just said we don't "want" to do it, and for one reasonable
definition of "want", that's perfectly accurate.
-Karl
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
RE: SVN Password stored in Plaintext!!!!
Posted by Robert Simmons <kr...@arcor.de>.
I wouldn't use the word "malicious." I would simply say "uninterested." This
issue may be a problem for the business environment. As it is now, I just
wont mention it to my clients.
As for writing it myself, not a chance. I don't do C programming at all (at
least not in 20 years) and I would need MONTHS to understand enough about
SVN to get it to work. Heck when I wanted to do a pure java client for SNV
people told me "not possible" and after spending a along time researching I
gave up.
I have also never done any encryption programming. Programming is a HUGE
field and one can't know it all. *shrug*
-- Rober
> -----Original Message-----
> From: Brian W. Fitzpatrick [mailto:fitz@red-bean.com]
> Sent: Friday, September 24, 2004 15:25
> To: Robert Simmons
> Cc: dev@subversion.tigris.org
> Subject: RE: SVN Password stored in Plaintext!!!!
>
> On Fri, 2004-09-24 at 08:18, Robert Simmons wrote:
> > Ahh... I understand.
> >
> > The crux of the issue is that although there is a solution possible, the
> SVN
> > dev team simply doesn't want to do it?
>
> Not at all--it's just that the feature that you're interested in here is
> a lower priority than bugfixing and writing other new features (like
> locking).
>
> Subversion is a volunteer effort and open source software. You're
> welcome to work on this feature (or pay someone to write it for you).
> As Larry Wall once said, "It's not us versus you... it's just... *us*".
> Don't assume malicious intent on our behalf just because our priorities
> and yours don't mesh.
>
> -Fitz
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
RE: SVN Password stored in Plaintext!!!!
Posted by "Brian W. Fitzpatrick" <fi...@red-bean.com>.
On Fri, 2004-09-24 at 08:18, Robert Simmons wrote:
> Ahh... I understand.
>
> The crux of the issue is that although there is a solution possible, the SVN
> dev team simply doesn't want to do it?
Not at all--it's just that the feature that you're interested in here is
a lower priority than bugfixing and writing other new features (like
locking).
Subversion is a volunteer effort and open source software. You're
welcome to work on this feature (or pay someone to write it for you).
As Larry Wall once said, "It's not us versus you... it's just... *us*".
Don't assume malicious intent on our behalf just because our priorities
and yours don't mesh.
-Fitz
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
RE: SVN Password stored in Plaintext!!!!
Posted by Robert Simmons <kr...@arcor.de>.
Ahh... I understand.
The crux of the issue is that although there is a solution possible, the SVN
dev team simply doesn't want to do it?
-- Robert
> -----Original Message-----
> From: Brian W. Fitzpatrick [mailto:fitz@red-bean.com]
> Sent: Friday, September 24, 2004 15:13
> To: Robert Simmons
> Cc: 'Michael Brouwer'; dev@subversion.tigris.org
> Subject: RE: SVN Password stored in Plaintext!!!!
>
> On Thu, 2004-09-23 at 22:31, Robert Simmons wrote:
> > Across a proxy, through a firewall and into a paranoid company?
> >
> > Nay.
> >
> > One of the charms of SVN is the apache and HTTPS access.
>
> And one of the compromises of using HTTPS and the auth cache is that
> your password is stored in cleartext.
>
> -Fitz
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
RE: SVN Password stored in Plaintext!!!!
Posted by "Brian W. Fitzpatrick" <fi...@red-bean.com>.
On Thu, 2004-09-23 at 22:31, Robert Simmons wrote:
> Across a proxy, through a firewall and into a paranoid company?
>
> Nay.
>
> One of the charms of SVN is the apache and HTTPS access.
And one of the compromises of using HTTPS and the auth cache is that
your password is stored in cleartext.
-Fitz
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
RE: SVN Password stored in Plaintext!!!!
Posted by Robert Simmons <kr...@arcor.de>.
Across a proxy, through a firewall and into a paranoid company?
Nay.
One of the charms of SVN is the apache and HTTPS access.
-- Robert
> -----Original Message-----
> From: Michael Brouwer [mailto:michael@tlaloc.net]
> Sent: Friday, September 24, 2004 05:21
> To: Robert Simmons
> Cc: dev@subversion.tigris.org
> Subject: Re: SVN Password stored in Plaintext!!!!
>
> Or you could access the repository using svn+ssh:// and use ssh-agent
> and ssh-add....
>
> Michael
>
> On Sep 23, 2004, at 1:52 PM, Robert Simmons wrote:
>
> > Well, I dont know about this agent stuff. However, if you want to
> > preserve
> > logins so the user doesnt have to login again, why not do something
> > like a
> > certificate. *shrug* I just know that SVN is not the only program that
> > has
> > this problem. Unix has been dealing with such a thing for ssh for 20
> > years
> > at least and have solved it somehow.
> >
> > I would think this should be a major issue for corporations intending
> > to use
> > subversion.
> >
> > -- Robert
> >
> >> -----Original Message-----
> >> From: Olaf Hering [mailto:olh@suse.de]
> >> Sent: Thursday, September 23, 2004 19:33
> >> To: Jani Averbach
> >> Cc: kraythe@arcor.de; dev@subversion.tigris.org
> >> Subject: Re: SVN Password stored in Plaintext!!!!
> >>
> >> On Thu, Sep 23, Jani Averbach wrote:
> >>
> >>> On 2004-09-23 19:07+0200, Olaf Hering wrote:
> >>>> On Thu, Sep 23, kraythe@arcor.de wrote:
> >>>>
> >>>>> One thing I noted while browsing through my subversion profile is
> >> that the passwords for my subversion access are stored in a file in
> >> plaintext! This is something that I dfind disturbing. How much trouble
> >> would it be to encrypt them and then have the server accept an
> >> encrypted
> >> version of the password? It would be really cool if companies could
> >> install their pgp key on their subversion server in order to do the
> >> encryption.
> >>>>
> >>>> I have a job opportunity for you:
> >>>
> >>> If you accept that offer, please take look of that thread:
> >>>
> >>> Subject: [PATCH] default to --no-auth-cache
> >>> Date: Tue, 14 Jan 2003 22:23:16 +0100
> >>> Message-ID: <3E...@xbc.nu>
> >>> http://subversion.tigris.org/servlets/ReadMsg?list=dev&msgNo=29065
> >>
> >> so, someone already did the work? Good.
> >> Our guys did not find the svn-agent in the 1.0.x documentation.
> >> I dont see it in the 1.1.x filelist.
> >>
> >> I hope you understand how ssh-agent works.
> >>
> >> --
> >> USB is for mice, FireWire is for men!
> >>
> >> sUse lINUX ag, nÜRNBERG
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> > For additional commands, e-mail: dev-help@subversion.tigris.org
> >
> >
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: SVN Password stored in Plaintext!!!!
Posted by Michael Brouwer <mi...@tlaloc.net>.
Or you could access the repository using svn+ssh:// and use ssh-agent
and ssh-add....
Michael
On Sep 23, 2004, at 1:52 PM, Robert Simmons wrote:
> Well, I don’t know about this agent stuff. However, if you want to
> preserve
> logins so the user doesn’t have to login again, why not do something
> like a
> certificate. *shrug* I just know that SVN is not the only program that
> has
> this problem. Unix has been dealing with such a thing for ssh for 20
> years
> at least and have solved it somehow.
>
> I would think this should be a major issue for corporations intending
> to use
> subversion.
>
> -- Robert
>
>> -----Original Message-----
>> From: Olaf Hering [mailto:olh@suse.de]
>> Sent: Thursday, September 23, 2004 19:33
>> To: Jani Averbach
>> Cc: kraythe@arcor.de; dev@subversion.tigris.org
>> Subject: Re: SVN Password stored in Plaintext!!!!
>>
>> On Thu, Sep 23, Jani Averbach wrote:
>>
>>> On 2004-09-23 19:07+0200, Olaf Hering wrote:
>>>> On Thu, Sep 23, kraythe@arcor.de wrote:
>>>>
>>>>> One thing I noted while browsing through my subversion profile is
>> that the passwords for my subversion access are stored in a file in
>> plaintext! This is something that I dfind disturbing. How much trouble
>> would it be to encrypt them and then have the server accept an
>> encrypted
>> version of the password? It would be really cool if companies could
>> install their pgp key on their subversion server in order to do the
>> encryption.
>>>>
>>>> I have a job opportunity for you:
>>>
>>> If you accept that offer, please take look of that thread:
>>>
>>> Subject: [PATCH] default to --no-auth-cache
>>> Date: Tue, 14 Jan 2003 22:23:16 +0100
>>> Message-ID: <3E...@xbc.nu>
>>> http://subversion.tigris.org/servlets/ReadMsg?list=dev&msgNo=29065
>>
>> so, someone already did the work? Good.
>> Our guys did not find the svn-agent in the 1.0.x documentation.
>> I dont see it in the 1.1.x filelist.
>>
>> I hope you understand how ssh-agent works.
>>
>> --
>> USB is for mice, FireWire is for men!
>>
>> sUse lINUX ag, nÜRNBERG
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
RE: SVN Password stored in Plaintext!!!!
Posted by Robert Simmons <kr...@arcor.de>.
Well, I dont know about this agent stuff. However, if you want to preserve
logins so the user doesnt have to login again, why not do something like a
certificate. *shrug* I just know that SVN is not the only program that has
this problem. Unix has been dealing with such a thing for ssh for 20 years
at least and have solved it somehow.
I would think this should be a major issue for corporations intending to use
subversion.
-- Robert
> -----Original Message-----
> From: Olaf Hering [mailto:olh@suse.de]
> Sent: Thursday, September 23, 2004 19:33
> To: Jani Averbach
> Cc: kraythe@arcor.de; dev@subversion.tigris.org
> Subject: Re: SVN Password stored in Plaintext!!!!
>
> On Thu, Sep 23, Jani Averbach wrote:
>
> > On 2004-09-23 19:07+0200, Olaf Hering wrote:
> > > On Thu, Sep 23, kraythe@arcor.de wrote:
> > >
> > > > One thing I noted while browsing through my subversion profile is
> that the passwords for my subversion access are stored in a file in
> plaintext! This is something that I dfind disturbing. How much trouble
> would it be to encrypt them and then have the server accept an encrypted
> version of the password? It would be really cool if companies could
> install their pgp key on their subversion server in order to do the
> encryption.
> > >
> > > I have a job opportunity for you:
> >
> > If you accept that offer, please take look of that thread:
> >
> > Subject: [PATCH] default to --no-auth-cache
> > Date: Tue, 14 Jan 2003 22:23:16 +0100
> > Message-ID: <3E...@xbc.nu>
> > http://subversion.tigris.org/servlets/ReadMsg?list=dev&msgNo=29065
>
> so, someone already did the work? Good.
> Our guys did not find the svn-agent in the 1.0.x documentation.
> I dont see it in the 1.1.x filelist.
>
> I hope you understand how ssh-agent works.
>
> --
> USB is for mice, FireWire is for men!
>
> sUse lINUX ag, nÜRNBERG
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: SVN Password stored in Plaintext!!!!
Posted by Olaf Hering <ol...@suse.de>.
On Thu, Sep 23, Jani Averbach wrote:
> On 2004-09-23 19:07+0200, Olaf Hering wrote:
> > On Thu, Sep 23, kraythe@arcor.de wrote:
> >
> > > One thing I noted while browsing through my subversion profile is that the passwords for my subversion access are stored in a file in plaintext! This is something that I dfind disturbing. How much trouble would it be to encrypt them and then have the server accept an encrypted version of the password? It would be really cool if companies could install their pgp key on their subversion server in order to do the encryption.
> >
> > I have a job opportunity for you:
>
> If you accept that offer, please take look of that thread:
>
> Subject: [PATCH] default to --no-auth-cache
> Date: Tue, 14 Jan 2003 22:23:16 +0100
> Message-ID: <3E...@xbc.nu>
> http://subversion.tigris.org/servlets/ReadMsg?list=dev&msgNo=29065
so, someone already did the work? Good.
Our guys did not find the svn-agent in the 1.0.x documentation.
I dont see it in the 1.1.x filelist.
I hope you understand how ssh-agent works.
--
USB is for mice, FireWire is for men!
sUse lINUX ag, nÜRNBERG
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: SVN Password stored in Plaintext!!!!
Posted by Jani Averbach <ja...@jaa.iki.fi>.
On 2004-09-23 19:07+0200, Olaf Hering wrote:
> On Thu, Sep 23, kraythe@arcor.de wrote:
>
> > One thing I noted while browsing through my subversion profile is that the passwords for my subversion access are stored in a file in plaintext! This is something that I dfind disturbing. How much trouble would it be to encrypt them and then have the server accept an encrypted version of the password? It would be really cool if companies could install their pgp key on their subversion server in order to do the encryption.
>
> I have a job opportunity for you:
If you accept that offer, please take look of that thread:
Subject: [PATCH] default to --no-auth-cache
Date: Tue, 14 Jan 2003 22:23:16 +0100
Message-ID: <3E...@xbc.nu>
http://subversion.tigris.org/servlets/ReadMsg?list=dev&msgNo=29065
BR, Jani
--
Jani Averbach
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: SVN Password stored in Plaintext!!!!
Posted by Olaf Hering <ol...@suse.de>.
On Thu, Sep 23, kraythe@arcor.de wrote:
> One thing I noted while browsing through my subversion profile is that the passwords for my subversion access are stored in a file in plaintext! This is something that I dfind disturbing. How much trouble would it be to encrypt them and then have the server accept an encrypted version of the password? It would be really cool if companies could install their pgp key on their subversion server in order to do the encryption.
I have a job opportunity for you:
look what ssh-agent and ssh-add does, implement something like that as
svn-agent and svn-add, teach svn something like
[auth]
store-password = agent
and your problem is gone.
I'm sure the svn community will accept patches.
--
USB is for mice, FireWire is for men!
sUse lINUX ag, nÜRNBERG
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: SVN Password stored in Plaintext!!!!
Posted by Max Bowsher <ma...@ukf.net>.
kraythe@arcor.de wrote:
> One thing I noted while browsing through my subversion profile is that the
> passwords for my subversion access are stored in a file in plaintext! This
> is
> something that I dfind disturbing. How much trouble would it be to encrypt
> them and then have the server accept an encrypted version of the password?
If the server accepts the encrypted version of the password, then what is
the point in encrypting it in the first place?
> It
> would be really cool if companies could install their pgp key on their
> subversion server in order to do the encryption.
How would that work?
Max.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org