Phillip J. Eby wrote: >> So it seems like the svn server stores passwords in a clear text file >> unless you are using svn+ssh or https with client certs. NOT nice. > > That's not what Mike or Ramswamy said; they that svn *clients* store > passwords in a clear text file. Nobody said anything about how the > server stores them.
Right, but discussing one-on-one with bear my understanding was that the server also stores passwords in the clear. >> Finally information about clients that cache client passwords but don't >> store the passwords in the clear would be nice to have. > > However, if you were using a certificate, the exact same failure point > exists, so there's no real security improvement to be had here. Plain No. Or actually, unlikely. When using client certificates (really, mutually authenticated SSL), you typically have a password for your private key. And typically software that deals mainly with security will be very careful with how it uses passwords. So, the password to unlock the private key will not be stored in clear text, and can be handled securely. > SVN over SSL should more than suffice, as long as you exercise > reasonable precautions with respect to your password. However, because > your client can cache the password, you can use a longer and > harder-to-remember password than you otherwise might. What Grant and I have been looking for on the client-side is an approach that caches your password in memory only, like with ssh-agent. That way you only need to type in a password as often as you need to start ssh-agent, or maximum identity lifetime is exceeded (if you started ssh-agent with -t option). Cleartext password files are reasonable for some, but not for others. -- Heikki Toivonen
signature.asc
Description: OpenPGP digital signature
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Open Source Applications Foundation "Dev" mailing list http://lists.osafoundation.org/mailman/listinfo/dev
