What's the best way to store an encrypted svn password on Ubuntu Server?

svn passwords ubuntu-server encryption

Solution 1:

  1. You can run Gnome-keyring or Kwallet on the remote machine. Each comes in two components, a daemon and a GUI.

    • You can run the GUI application on the remote machine if you run ssh with X forwarding. Just because it's a “server” machine doesn't mean you can't install GUI applications on it. It doesn't matter whether you're running the corresponding desktop environment or not, applications don't need a specific desktop environment to run.

    • You can control Kwallet on the command line through qdbus, though it's not a good idea in this specific case because you'd have to write your password in cleartext on a command line, and this can be snooped by other users. See also this SU answer.

    • There's a python binding for both Gnome-keyring and Kwallet (packages python-keyring-gnome and python-keyring-kwallet); you could write a tiny python script to control them. In fact there's already one for Gnome-keyring: gkeyring.

    • If your keyring password is the same as your login password, you can install the libpam-keyring and your keyring will be automatically unlocked when you log in. However this requires logging in with a password rather than a key pair.

  2. If you're running Gnome-keyring or Kwallet locally, you can forward them through ssh, with a bit of work. They use Unix sockets, which ssh can't forward. But you can use socat relay the Unix sockets to TCP sockets locally and the other way round on the remote machine:

    while true; do socat TCP-LISTEN:22007 UNIX-CONNECT:"$GNOME_KEYRING_SOCKET"; done &
ssh -R22007:localhost:22007 remote.example.com
export GNOME_KEYRING_SOCKET="$HOME/.gnome-keyring-socket"
while true; do socat UNIX-LISTEN:"$GNOME_KEYRING_SOCKET" TCP4:localhost:22007; done &

    This can be automated with small shell scripts on each side and a RemoteForward line in ~/.ssh/config. In theory, you should then be able to access the gnome keyring from the remote machine. However, I tried to access it with seahorse, and it didn't even try to connect to $GNOME_KEYRING_SOCKET; I don't know why, and I don't know if svn would be able to access the keyring.

  3. You can store your svn password on an encrypted filesystem. There are several options; I think the simplest way to get going is encfs. Initial setup:

    sudo aptitude install encfs
encfs ~/.passwords.encrypted ~/.passwords
mv ~/.subversion/auth ~/.passwords/svn-auth
ln -s ../.passwords/svn-auth ~/.subversion/auth

    Normal workflow:

    encfs ~/.passwords.encrypted ~/.passwords
... work ...
fusermount -u ~/.passwords

    This method has my preference for several reasons:

    • Both the initial setup and the normal workflow are very simple.
    • It doesn't matter where you log in from, in particular you don't need have a local X server and use X forwarding over ssh.
    • An encrypted filesystem is more versatile than a keyring (though it's less convenient for keyring use, but in the svn case that doesn't matter).
    • The only non-ubiquitous tool you need is encfs (which requires FUSE), and it is packaged for Ubuntu.

Related

Storing GnuPG folder in Dropbox
Option-key with VNC Viewer to remote control a Mac from a Windows 7 PC
How do different Linux distributions handle multiple cores and multi-threading?
Why doesn't MS Project change project end date if tasks are finished ahead of schedule?
Batch File Printing
Using GraphicsMagick or ImageMagick, how do I replace transparency with a fill colour?
Getting back to "stdin" after redirecting a file to a particular program
Let less work like cat, if only one screen full of text
File not found error with mysqlimport
How to convert audio file of fax transmission to image in Linux?
Compiling the Linux kernel
How do I setup a VPN connection on Ubuntu with a shared secret and group name if any?