What's the best way to store an encrypted svn password on Ubuntu Server?

Solution 1:

  1. You can run Gnome-keyring or Kwallet on the remote machine. Each comes in two components, a daemon and a GUI.

    • You can run the GUI application on the remote machine if you run ssh with X forwarding. Just because it's a “server” machine doesn't mean you can't install GUI applications on it. It doesn't matter whether you're running the corresponding desktop environment or not, applications don't need a specific desktop environment to run.

    • You can control Kwallet on the command line through qdbus, though it's not a good idea in this specific case because you'd have to write your password in cleartext on a command line, and this can be snooped by other users. See also this SU answer.

    • There's a python binding for both Gnome-keyring and Kwallet (packages python-keyring-gnome and python-keyring-kwallet); you could write a tiny python script to control them. In fact there's already one for Gnome-keyring: gkeyring.

    • If your keyring password is the same as your login password, you can install the libpam-keyring and your keyring will be automatically unlocked when you log in. However this requires logging in with a password rather than a key pair.

  2. If you're running Gnome-keyring or Kwallet locally, you can forward them through ssh, with a bit of work. They use Unix sockets, which ssh can't forward. But you can use socat relay the Unix sockets to TCP sockets locally and the other way round on the remote machine:

    while true; do socat TCP-LISTEN:22007 UNIX-CONNECT:"$GNOME_KEYRING_SOCKET"; done &
    ssh -R22007:localhost:22007 remote.example.com
    export GNOME_KEYRING_SOCKET="$HOME/.gnome-keyring-socket"
    while true; do socat UNIX-LISTEN:"$GNOME_KEYRING_SOCKET" TCP4:localhost:22007; done &
    

    This can be automated with small shell scripts on each side and a RemoteForward line in ~/.ssh/config. In theory, you should then be able to access the gnome keyring from the remote machine. However, I tried to access it with seahorse, and it didn't even try to connect to $GNOME_KEYRING_SOCKET; I don't know why, and I don't know if svn would be able to access the keyring.

  3. You can store your svn password on an encrypted filesystem. There are several options; I think the simplest way to get going is encfs. Initial setup:

    sudo aptitude install encfs
    encfs ~/.passwords.encrypted ~/.passwords
    mv ~/.subversion/auth ~/.passwords/svn-auth
    ln -s ../.passwords/svn-auth ~/.subversion/auth
    

    Normal workflow:

    encfs ~/.passwords.encrypted ~/.passwords
    ... work ...
    fusermount -u ~/.passwords
    

    This method has my preference for several reasons:

    • Both the initial setup and the normal workflow are very simple.
    • It doesn't matter where you log in from, in particular you don't need have a local X server and use X forwarding over ssh.
    • An encrypted filesystem is more versatile than a keyring (though it's less convenient for keyring use, but in the svn case that doesn't matter).
    • The only non-ubiquitous tool you need is encfs (which requires FUSE), and it is packaged for Ubuntu.