SVN encrypted password store

unix svn passwords encryption

I installed SVN on a Ubuntu machine and I can't get my head around something.

Whenever I checkout something from the terminal I get this error about saving a non-encrypted password:

-----------------------------------------------------------------------
ATTENTION!  Your password for authentication realm:

   <[...]> Subversion Repository

can only be stored to disk
unencrypted!  You are advised to
configure your system so that
Subversion can store passwords
encrypted, if possible.  See the
documentation for details.

You can avoid future appearances of
this warning by setting the value of
the 'store-plaintext-passwords' option
to either 'yes' or 'no' in
'/home/[...]/.subversion/servers'.
-----------------------------------------------------------------------

I goggled it a bit but I couldn't find anything useful. I found one topic where it said this was a client issue, not a server one, but I'm still not convinced.

It says "configure your system"; what exactly does it mean by that? The server or the client? If I'm the server, is there anything I can do about it? besides hiding the warning (like it says)...

Thanks!


Solution 1:

It is a client issue. It warns you that the credentials used for the different servers are being stored in plain text. You can hide that warning or use an encrypted storage to cache the passwords.

See: http://blogs.collab.net/subversion/2009/07/subversion-16-security-improvements

Solution 2:

By encrypting the password, you will not be able to achieve non-repudiation (other users could use your hash as you) due to OS file permissions. However, most companies have subversion setup using their domain password or some form of SSO password. By encrypting the password, you would at least mask someone from accessing a users other accounts.

I would still be concerned about the encryption strength. If the subversion password is linked to other important accounts, someone might test the encryption strength to crack the password out.

The best bet is to setup the subversion client to turn off stored passwords and force lazy Dev's to authenticate each time.

Solution 3:

I store the credentials on an encrypted disk. (Although, while encfs is mounted the credentials are still plain-text to my account)

$ ls -nl ~/.subversion/
total 20K
-rw-r--r-- 1 1000 1000 4.2K 2009-07-10 13:00 README.txt
lrwxrwxrwx 1 1000 1000   31 2009-10-14 14:31 auth -> ~/crypt/subversion/auth/
-rw-r--r-- 1 1000 1000 5.7K 2009-07-10 13:00 config
-rw-r--r-- 1 1000 1000 3.6K 2009-07-10 13:00 servers

Using git-svn means that I need the credentials much less often, so it may not be too onerous to not save them at all.

Related

API Keys vs HTTP Authentication vs OAuth in a RESTful API
Git production/staging server workflow
SVG changes color when rotated in Safari 10
How to set a Header field on POST a form?
How do I update Homebrew?
How to log to a file without using third party logger in .Net Core?
How exactly does the Spring BeanPostProcessor work?
file_put_contents - failed to open stream: Permission denied
What is `require.context`?
@Basic(optional = false) vs @Column(nullable = false) in JPA
I want to disable beep sound in Terminal - Mac OSX [closed]
When you use 'badidea' or 'thisisunsafe' to bypass a Chrome certificate/HSTS error, does it only apply for the current site? [closed]