SVN encrypted password store

I installed SVN on a Ubuntu machine and I can't get my head around something.

Whenever I checkout something from the terminal I get this error about saving a non-encrypted password:

-----------------------------------------------------------------------
ATTENTION!  Your password for authentication realm:

   <[...]> Subversion Repository

can only be stored to disk
unencrypted!  You are advised to
configure your system so that
Subversion can store passwords
encrypted, if possible.  See the
documentation for details.

You can avoid future appearances of
this warning by setting the value of
the 'store-plaintext-passwords' option
to either 'yes' or 'no' in
'/home/[...]/.subversion/servers'.
-----------------------------------------------------------------------

I goggled it a bit but I couldn't find anything useful. I found one topic where it said this was a client issue, not a server one, but I'm still not convinced.

It says "configure your system"; what exactly does it mean by that? The server or the client? If I'm the server, is there anything I can do about it? besides hiding the warning (like it says)...

Thanks!


Solution 1:

It is a client issue. It warns you that the credentials used for the different servers are being stored in plain text. You can hide that warning or use an encrypted storage to cache the passwords.

See: http://blogs.collab.net/subversion/2009/07/subversion-16-security-improvements

Solution 2:

By encrypting the password, you will not be able to achieve non-repudiation (other users could use your hash as you) due to OS file permissions. However, most companies have subversion setup using their domain password or some form of SSO password. By encrypting the password, you would at least mask someone from accessing a users other accounts.

I would still be concerned about the encryption strength. If the subversion password is linked to other important accounts, someone might test the encryption strength to crack the password out.

The best bet is to setup the subversion client to turn off stored passwords and force lazy Dev's to authenticate each time.

Solution 3:

I store the credentials on an encrypted disk. (Although, while encfs is mounted the credentials are still plain-text to my account)

$ ls -nl ~/.subversion/
total 20K
-rw-r--r-- 1 1000 1000 4.2K 2009-07-10 13:00 README.txt
lrwxrwxrwx 1 1000 1000   31 2009-10-14 14:31 auth -> ~/crypt/subversion/auth/
-rw-r--r-- 1 1000 1000 5.7K 2009-07-10 13:00 config
-rw-r--r-- 1 1000 1000 3.6K 2009-07-10 13:00 servers

Using git-svn means that I need the credentials much less often, so it may not be too onerous to not save them at all.