Re: Subversion 1.14.2 on Linux how to enable plaintext password store?

2023-12-02 Thread Daniel Sahlberg 
lör 2 dec. 2023 kl. 12:02 skrev Bo Berglund :

> On Fri, 01 Dec 2023 11:21:32 +0100, Bo Berglund 
> wrote:
>
> >OK, I will have to test it again.
> >
> >But I have so many RPi units and some have this problem whereas others
> don't so
> >I have to somehow figure out how to test it on all to look for
> commonality/diff
> >between those that pop the GUI dialog and those that don't.
> >
> >On one where the svn commands work without popping up anything I have
> this:
> >
> >Inside ~/.subversion/auth are these dir/files:
> >
> >svn.simple/03994a04eb338a432667e51f0e0720bf
> >svn.ssl.server/52e60f46d8c02303aea5256b18eb7aac
> >
> >The other dirs are empty.
>
> >So maybe these two together is the store for text based access logins?


svn.simple is used to store the username. In case of plaintext password
cache the password is also there. Some password stores might store the
encrypted password here as well (for example on Windows the password is
encrypted using Windows apis).


>
> UPDATE:
> ---
> Now I have tried to check out a package from our SVN server into a freshly
> built
> Raspberry Pi4B running 32 bit PiOS (bookworm).
>
> Before I did this I had compared the config between an older installation
> using
> a several years old operating system and this new one and I saw that the
> old had
> this setting enabled:
>
> [auth]
> password-stores = gnome-keyring
>
> So I added this to the svn installation config on the new RPi4B
>
> Then on the SSH login I tried to check out the package I wanted and this
> happened:
>
> It asked for the password for "bosse"
>
> But I had not told it what user to use on svn so it seems like it forces
> one to
> use the local system username rather than the subversion server username!


No, it doesn’t force the same username. It DEFAULTs to the current username
for convenience, if you happen to have the same in both. If you have
another username in Subversion, just press enter and it will ask for the
username as well.

In this case they happened to be the same since the new RPi systems no
> longer
> uses pi as the user but some username configured on installing the
> operating
> system.
>
> But after I typed in my password it just hung as before...
>
> So then I opened a VNC session to the GUI and sure enough there was a
> dialog box
> popped up on that window!!!


I think you should bring this up with the PiOS project. It seems crazy that
a ssh session is able to open a GUI application on the local console that
you can only access via VNC.


>
> Here it asked me the following:
> ---
> Choose password for new keyring
> An application wants to create a new keyring called "Default".
> Choose the password you want to usefor it.
> Password: *
> Confirm:  *
>[Cancel]  [Continue]
> ---
>
> So I entered the password twice and hit Continue.
>
> Now in the SSH window the checkout proceeded as it should have in the first
> place...
>
> Finally:
> 
> After this was done I now created a new SSH session and inside that I went
> to a
> different target directory and issued the same svn command for a checkout
> and
> this time I was not asked for a password and the GUI screen did not pop up
> a
> dialog.
>
> So it seems like svn can be used on the command line provided one first
> does
> this:
>
> - Install subversion via apt
> - Run a bare svn command to create ~/.subversion/config
> - Edit the config file and enable this:
>   [auth]
>   password-stores = gnome-keyring


I would NOT configure gnome-keyring as a password store, since it creates
all the gui problems you have. Probably better leave it empty.


> - Go somewhere like ~/projects
> - Issue a svn co command for a package on the server
> - Enter the requested password
> - Access the GUI screen where the dialog shown above is now displayed
> - Enter the requested password twice
>
> Now the svn checkout proceeds and apparently any following checkout will
> not
> trigger the GUI dialog.
> But I have not tested a svn ci command yet


Sure that it will work, but only as long as the keyring is unlocked. Don’t
know how long it stayes unlocked on PiOS.


>
> Or another package of our svn server..
>
>
> --
> Bo Berglund
> Developer in Sweden
>
>

Re: Subversion 1.14.2 on Linux how to enable plaintext password store?

2023-12-02 Thread Bo Berglund 
On Fri, 01 Dec 2023 11:21:32 +0100, Bo Berglund  wrote:

>OK, I will have to test it again.
>
>But I have so many RPi units and some have this problem whereas others don't so
>I have to somehow figure out how to test it on all to look for commonality/diff
>between those that pop the GUI dialog and those that don't.
>
>On one where the svn commands work without popping up anything I have this:
>
>Inside ~/.subversion/auth are these dir/files:
>
>svn.simple/03994a04eb338a432667e51f0e0720bf
>svn.ssl.server/52e60f46d8c02303aea5256b18eb7aac
>
>The other dirs are empty.

>So maybe these two together is the store for text based access logins?

UPDATE:
---
Now I have tried to check out a package from our SVN server into a freshly built
Raspberry Pi4B running 32 bit PiOS (bookworm).

Before I did this I had compared the config between an older installation using
a several years old operating system and this new one and I saw that the old had
this setting enabled:

[auth]
password-stores = gnome-keyring

So I added this to the svn installation config on the new RPi4B

Then on the SSH login I tried to check out the package I wanted and this
happened:

It asked for the password for "bosse"

But I had not told it what user to use on svn so it seems like it forces one to
use the local system username rather than the subversion server username!

In this case they happened to be the same since the new RPi systems no longer
uses pi as the user but some username configured on installing the operating
system.

But after I typed in my password it just hung as before...

So then I opened a VNC session to the GUI and sure enough there was a dialog box
popped up on that window!!!

Here it asked me the following:
---
Choose password for new keyring
An application wants to create a new keyring called "Default".
Choose the password you want to usefor it.
Password: *
Confirm:  *
   [Cancel]  [Continue]
---

So I entered the password twice and hit Continue.

Now in the SSH window the checkout proceeded as it should have in the first
place...

Finally:

After this was done I now created a new SSH session and inside that I went to a
different target directory and issued the same svn command for a checkout and
this time I was not asked for a password and the GUI screen did not pop up a
dialog.

So it seems like svn can be used on the command line provided one first does
this:

- Install subversion via apt
- Run a bare svn command to create ~/.subversion/config
- Edit the config file and enable this:
  [auth]
  password-stores = gnome-keyring
- Go somewhere like ~/projects
- Issue a svn co command for a package on the server
- Enter the requested password
- Access the GUI screen where the dialog shown above is now displayed
- Enter the requested password twice

Now the svn checkout proceeds and apparently any following checkout will not
trigger the GUI dialog.
But I have not tested a svn ci command yet

Or another package of our svn server..


-- 
Bo Berglund
Developer in Sweden

Re: Subversion 1.14.2 on Linux how to enable plaintext password store?

2023-12-01 Thread Mark Phippard 
On Fri, Dec 1, 2023 at 4:27 PM Daniel Sahlberg
 wrote:
>
> fre 1 dec. 2023 kl. 22:15 skrev Mark Phippard :
>>
>> Correct me if I am wrong Nathan, but there is no option that allows
>> plaintext passwords on Linux.
>> https://subversion.apache.org/docs/release-notes/1.14.html#plaintext-passwords-disabled
>
>
> In the original post there was a quote from svn —version showing that 
> plaintext cache was one of the available stores. I guess svn was built with 
> the
> --enable-plaintext-password-storage option. Then plaintext password cache 
> would be enabled, unless disabled in the config files, right?

I would think so, yes. I was not aware of anyone that packaged SVN
with this compiled in. I seem to recall it was not easy to do so.
Sorry for the noise.

Mark

Re: Subversion 1.14.2 on Linux how to enable plaintext password store?

2023-12-01 Thread Daniel Sahlberg 
fre 1 dec. 2023 kl. 22:15 skrev Mark Phippard :

> Correct me if I am wrong Nathan, but there is no option that allows
> plaintext passwords on Linux.
>
> https://subversion.apache.org/docs/release-notes/1.14.html#plaintext-passwords-disabled


In the original post there was a quote from svn —version showing that
plaintext cache was one of the available stores. I guess svn was built with
the
--enable-plaintext-password-storage option. Then plaintext password cache
would be enabled, unless disabled in the config files, right?


> I thought that was a change in trunk to put that back as an option for
> 1.15?  https://svn.apache.org/repos/asf/subversion/trunk/CHANGES


Wasn’t this change just to revert to the old default to enable plaintext
cache unless disabled by configure?

Kind regards
Daniel



>
>
> Mark
>
>
>
> On Fri, Dec 1, 2023 at 12:55 AM Nathan Hartman 
> wrote:
> >
> > On Thu, Nov 30, 2023 at 6:43 PM Bo Berglund 
> wrote:
> > >
> > > When I installed subversion on a Raspberry Pi4B and checked the
> installed
> > > version afterwards it printed this:
> > >
> > > $ svn --version
> > > svn, version 1.14.2 (r1899510)
> > >compiled Nov 12 2022, 20:30:30 on arm-unknown-linux-gnueabihf
> > >
> > > Copyright (C) 2022 The Apache Software Foundation.
> > > This software consists of contributions made by many people;
> > > see the NOTICE file for more information.
> > > Subversion is open source software, see http://subversion.apache.org/
> > >
> > > < cut >
> > >
> > > The following authentication credential caches are available:
> > >
> > > * Plaintext cache in /home/bosse/.subversion
> > > * Gnome Keyring
> > > * GPG-Agent
> > > * KWallet (KDE)
> > >
> > > I have had a lot of problems with password caching for a number of
> years since I
> > > am working on these devices mainly on the command line via ssh and
> when I issue
> > > a svn command against a server on our LAN what happens is that svn
> pops up a
> > > password entry dialog on the (invisible) **GUI screen**!
> > > And the operation started on the command line fails...
> > >
> > > It was not always so but some svn update changed the way svn
> operates
> > >
> > > Now I see the banner above where it looks like it is again available:
> > >
> > > * Plaintext cache in /home/bosse/.subversion
> > >
> > > The problem is that in the config file there is no example of the
> syntax for
> > > enabling this
> > >
> > > So my question here is:
> > > How do I enable the plaintext cache in svn client version 1.14.2 on a
> Raspberry
> > > Pi4B running Pi-OS?
> > >
> > >
> > > --
> > > Bo Berglund
> > > Developer in Sweden
> >
> >
> > In the user's home directory, there should be a subdirectory called
> > .subversion which contains a file called config. In that file, there
> > is a section called [auth] which contains a setting called
> > "password-stores". It might be commented, or it might say something
> > like "password-stores = gpg-agent,gnome-keyring,kwallet". This setting
> > determines the order in which the different password stores
> > (credential caches) are used. You could set this to "password-stores =
> > plaintext". Make sure you don't have "store-passwords = no" or
> > "store-plaintext-passwords = no". I think this will solve the issue --
> > though note that if the password has not been saved to the plaintext
> > cache yet, the SVN client should prompt for it once, and then prompt
> > whether you accept the risk to save it in the plaintext cache. This
> > should take place on the command line, so I think you won't have the
> > issue with the inaccessible GUI dialog box on the remote machine. Once
> > saved, it shouldn't prompt for it anymore.
> >
> > Note: In addition to the user's ~/.subversion/config file I mentioned
> > above, there is also a systemwide /etc/subversion/config. If changes
> > in the user-level file don't appear to work, check the systemwide one
> > as well.
> >
> > Hope this helps,
> > Nathan
>

Re: Subversion 1.14.2 on Linux how to enable plaintext password store?

2023-12-01 Thread Mark Phippard 
Correct me if I am wrong Nathan, but there is no option that allows
plaintext passwords on Linux.
https://subversion.apache.org/docs/release-notes/1.14.html#plaintext-passwords-disabled

I thought that was a change in trunk to put that back as an option for
1.15?  https://svn.apache.org/repos/asf/subversion/trunk/CHANGES


Mark



On Fri, Dec 1, 2023 at 12:55 AM Nathan Hartman  wrote:
>
> On Thu, Nov 30, 2023 at 6:43 PM Bo Berglund  wrote:
> >
> > When I installed subversion on a Raspberry Pi4B and checked the installed
> > version afterwards it printed this:
> >
> > $ svn --version
> > svn, version 1.14.2 (r1899510)
> >compiled Nov 12 2022, 20:30:30 on arm-unknown-linux-gnueabihf
> >
> > Copyright (C) 2022 The Apache Software Foundation.
> > This software consists of contributions made by many people;
> > see the NOTICE file for more information.
> > Subversion is open source software, see http://subversion.apache.org/
> >
> > < cut >
> >
> > The following authentication credential caches are available:
> >
> > * Plaintext cache in /home/bosse/.subversion
> > * Gnome Keyring
> > * GPG-Agent
> > * KWallet (KDE)
> >
> > I have had a lot of problems with password caching for a number of years 
> > since I
> > am working on these devices mainly on the command line via ssh and when I 
> > issue
> > a svn command against a server on our LAN what happens is that svn pops up a
> > password entry dialog on the (invisible) **GUI screen**!
> > And the operation started on the command line fails...
> >
> > It was not always so but some svn update changed the way svn operates
> >
> > Now I see the banner above where it looks like it is again available:
> >
> > * Plaintext cache in /home/bosse/.subversion
> >
> > The problem is that in the config file there is no example of the syntax for
> > enabling this
> >
> > So my question here is:
> > How do I enable the plaintext cache in svn client version 1.14.2 on a 
> > Raspberry
> > Pi4B running Pi-OS?
> >
> >
> > --
> > Bo Berglund
> > Developer in Sweden
>
>
> In the user's home directory, there should be a subdirectory called
> .subversion which contains a file called config. In that file, there
> is a section called [auth] which contains a setting called
> "password-stores". It might be commented, or it might say something
> like "password-stores = gpg-agent,gnome-keyring,kwallet". This setting
> determines the order in which the different password stores
> (credential caches) are used. You could set this to "password-stores =
> plaintext". Make sure you don't have "store-passwords = no" or
> "store-plaintext-passwords = no". I think this will solve the issue --
> though note that if the password has not been saved to the plaintext
> cache yet, the SVN client should prompt for it once, and then prompt
> whether you accept the risk to save it in the plaintext cache. This
> should take place on the command line, so I think you won't have the
> issue with the inaccessible GUI dialog box on the remote machine. Once
> saved, it shouldn't prompt for it anymore.
>
> Note: In addition to the user's ~/.subversion/config file I mentioned
> above, there is also a systemwide /etc/subversion/config. If changes
> in the user-level file don't appear to work, check the systemwide one
> as well.
>
> Hope this helps,
> Nathan

Re: Subversion 1.14.2 on Linux how to enable plaintext password store?

2023-12-01 Thread Bo Berglund 
On Fri, 1 Dec 2023 09:25:55 +0100, Daniel Sahlberg 
wrote:

>Den fre 1 dec. 2023 kl 08:35 skrev Bo Berglund :
>
>> As it has been for some time now when I enter a command window svn command
>> that
>> requires authentication it pops up a dialog on the GUI window which is
>> invisible
>> to me at that point.
>> It took a while before I understood what was going on, at first I thought
>> svn
>> had crashed or similar. It just hung there on the command window. :(
>>
>
>What does echo $DISPLAY return? I think it is awfully strange that an SSH
>session on the PiOS would start a graphical program, but if DISPLAY is set,
>maybe you can unset it and at least the GUI part would be solved?

echo $DISPLAY returns nothing at all

>
>> So on this new system I want to avoid this from happening and was
>> encouraged by
>> the output shown when I checked the svn version.
>>
>> I have no idea if any of the allowed stores mentioned (gnome-keyring,
>> kwallet,
>> gpg-agent) will work inside an SSH command line section...
>>
>
>I don't think any of those stores works on the command line. No idea what
>Subversion will do but I assume it will fall back to inputting the password
>on the command line.

OK, I will have to test it again.

But I have so many RPi units and some have this problem whereas others don't so
I have to somehow figure out how to test it on all to look for commonality/diff
between those that pop the GUI dialog and those that don't.

On one where the svn commands work without popping up anything I have this:

Inside ~/.subversion/auth are these dir/files:

svn.simple/03994a04eb338a432667e51f0e0720bf
svn.ssl.server/52e60f46d8c02303aea5256b18eb7aac

The other dirs are empty.

And the svn.simple/03994a04eb338a432667e51f0e0720bf file contains a reference to
gnome-keyring, could that be a non-GUI way of saving the login on a command line
operation?

Here it is:

cat auth/svn.simple/03994a04eb338a432667e51f0e0720bf
K 8
passtype
V 13
gnome-keyring
K 15
svn:realmstring
V 45
 VisualSVN Server
K 8
username
V 5
bosse
END

The auth/svn.ssl.server/52e60f46d8c02303aea5256b18eb7aac file contains a block
of data looking like a cert of some kind (encrypted password maybe).
It also references the server connection, but not the username.

So maybe these two together is the store for text based access logins?



-- 
Bo Berglund
Developer in Sweden

Re: Subversion 1.14.2 on Linux how to enable plaintext password store?

2023-12-01 Thread Daniel Sahlberg 
Den fre 1 dec. 2023 kl 08:35 skrev Bo Berglund :

> As it has been for some time now when I enter a command window svn command
> that
> requires authentication it pops up a dialog on the GUI window which is
> invisible
> to me at that point.
> It took a while before I understood what was going on, at first I thought
> svn
> had crashed or similar. It just hung there on the command window. :(
>

What does echo $DISPLAY return? I think it is awfully strange that an SSH
session on the PiOS would start a graphical program, but if DISPLAY is set,
maybe you can unset it and at least the GUI part would be solved?


> So on this new system I want to avoid this from happening and was
> encouraged by
> the output shown when I checked the svn version.
>
> I have no idea if any of the allowed stores mentioned (gnome-keyring,
> kwallet,
> gpg-agent) will work inside an SSH command line section...
>

I don't think any of those stores works on the command line. No idea what
Subversion will do but I assume it will fall back to inputting the password
on the command line.

Kind regards,
Daniel

Re: Subversion 1.14.2 on Linux how to enable plaintext password store?

2023-11-30 Thread Bo Berglund 
On Fri, 1 Dec 2023 00:55:30 -0500, Nathan Hartman 
wrote:

>On Thu, Nov 30, 2023 at 6:43?PM Bo Berglund  wrote:
>>
>> When I installed subversion on a Raspberry Pi4B and checked the installed
>> version afterwards it printed this:
>>
>> $ svn --version
>> svn, version 1.14.2 (r1899510)
>>compiled Nov 12 2022, 20:30:30 on arm-unknown-linux-gnueabihf
>>
>> Copyright (C) 2022 The Apache Software Foundation.
>> This software consists of contributions made by many people;
>> see the NOTICE file for more information.
>> Subversion is open source software, see http://subversion.apache.org/
>>
>> < cut >
>>
>> The following authentication credential caches are available:
>>
>> * Plaintext cache in /home/bosse/.subversion
>> * Gnome Keyring
>> * GPG-Agent
>> * KWallet (KDE)
>>
>> I have had a lot of problems with password caching for a number of years 
>> since I
>> am working on these devices mainly on the command line via ssh and when I 
>> issue
>> a svn command against a server on our LAN what happens is that svn pops up a
>> password entry dialog on the (invisible) **GUI screen**!
>> And the operation started on the command line fails...
>>
>> It was not always so but some svn update changed the way svn operates
>>
>> Now I see the banner above where it looks like it is again available:
>>
>> * Plaintext cache in /home/bosse/.subversion
>>
>> The problem is that in the config file there is no example of the syntax for
>> enabling this
>>
>> So my question here is:
>> How do I enable the plaintext cache in svn client version 1.14.2 on a 
>> Raspberry
>> Pi4B running Pi-OS?
>>
>>
>> --
>> Bo Berglund
>> Developer in Sweden
>
>
>In the user's home directory, there should be a subdirectory called
>.subversion which contains a file called config. In that file, there
>is a section called [auth] which contains a setting called
>"password-stores". It might be commented, or it might say something
>like "password-stores = gpg-agent,gnome-keyring,kwallet". This setting
>determines the order in which the different password stores
>(credential caches) are used. You could set this to "password-stores =
>plaintext". Make sure you don't have "store-passwords = no" or
>"store-plaintext-passwords = no". I think this will solve the issue --
>though note that if the password has not been saved to the plaintext
>cache yet, the SVN client should prompt for it once, and then prompt
>whether you accept the risk to save it in the plaintext cache. This
>should take place on the command line, so I think you won't have the
>issue with the inaccessible GUI dialog box on the remote machine. Once
>saved, it shouldn't prompt for it anymore.
>
>Note: In addition to the user's ~/.subversion/config file I mentioned
>above, there is also a systemwide /etc/subversion/config. If changes
>in the user-level file don't appear to work, check the systemwide one
>as well.
>
>Hope this helps,
>Nathan

This is the auth content of the user's config file (which is what I referred to
in my post):

### Section for authentication and authorization customizations.
[auth]
### Set password stores used by Subversion. They should be
### delimited by spaces or commas. The order of values determines
### the order in which password stores are used.
### Valid password stores:
###   gnome-keyring(Unix-like systems)
###   kwallet  (Unix-like systems)
###   gpg-agent(Unix-like systems)
###   keychain (Mac OS X)
###   windows-cryptoapi(Windows)
# password-stores = gpg-agent,gnome-keyring,kwallet
### To disable all password stores, use an empty list:
# password-stores =
###

... info stuff about Kwallet,PID, ssl ...

### The rest of the [auth] section in this file has been deprecated.
### Both 'store-passwords' and 'store-auth-creds' can now be
### specified in the 'servers' file in your config directory
### and are documented there. Anything specified in this section
### is overridden by settings specified in the 'servers' file.
# store-passwords = no
# store-auth-creds = no

So this is what I meant by missing plaintext...

And the system wide /etc/subversion/config is exactly the same as the user's
config file, diff returns nothing.

So the question remains if adding a setting like this will work:
password-stores =plaintext

given the text in the config file...

I have also looked in the servers file and am none the wiser...

What I really want is NOT to have my svn password stored in *unencrypted
plaintext*, just that it is stored on disk in a way that can be used by
subversion on the next connection so I don't have to type it in for every single
svn command! And it must work on the SSH command line!!!

I am fine with svn encrypting the password using whetever mechanism it wants so
long as the password handling DOES NOT require some action outside of the
command window where the svn command is entered. Popping up a GUI action windows
is totally counter-productive since it is invisible.

As it has been for some

Re: Subversion 1.14.2 on Linux how to enable plaintext password store?

2023-11-30 Thread Nathan Hartman 
On Thu, Nov 30, 2023 at 6:43 PM Bo Berglund  wrote:
>
> When I installed subversion on a Raspberry Pi4B and checked the installed
> version afterwards it printed this:
>
> $ svn --version
> svn, version 1.14.2 (r1899510)
>compiled Nov 12 2022, 20:30:30 on arm-unknown-linux-gnueabihf
>
> Copyright (C) 2022 The Apache Software Foundation.
> This software consists of contributions made by many people;
> see the NOTICE file for more information.
> Subversion is open source software, see http://subversion.apache.org/
>
> < cut >
>
> The following authentication credential caches are available:
>
> * Plaintext cache in /home/bosse/.subversion
> * Gnome Keyring
> * GPG-Agent
> * KWallet (KDE)
>
> I have had a lot of problems with password caching for a number of years 
> since I
> am working on these devices mainly on the command line via ssh and when I 
> issue
> a svn command against a server on our LAN what happens is that svn pops up a
> password entry dialog on the (invisible) **GUI screen**!
> And the operation started on the command line fails...
>
> It was not always so but some svn update changed the way svn operates
>
> Now I see the banner above where it looks like it is again available:
>
> * Plaintext cache in /home/bosse/.subversion
>
> The problem is that in the config file there is no example of the syntax for
> enabling this
>
> So my question here is:
> How do I enable the plaintext cache in svn client version 1.14.2 on a 
> Raspberry
> Pi4B running Pi-OS?
>
>
> --
> Bo Berglund
> Developer in Sweden


In the user's home directory, there should be a subdirectory called
.subversion which contains a file called config. In that file, there
is a section called [auth] which contains a setting called
"password-stores". It might be commented, or it might say something
like "password-stores = gpg-agent,gnome-keyring,kwallet". This setting
determines the order in which the different password stores
(credential caches) are used. You could set this to "password-stores =
plaintext". Make sure you don't have "store-passwords = no" or
"store-plaintext-passwords = no". I think this will solve the issue --
though note that if the password has not been saved to the plaintext
cache yet, the SVN client should prompt for it once, and then prompt
whether you accept the risk to save it in the plaintext cache. This
should take place on the command line, so I think you won't have the
issue with the inaccessible GUI dialog box on the remote machine. Once
saved, it shouldn't prompt for it anymore.

Note: In addition to the user's ~/.subversion/config file I mentioned
above, there is also a systemwide /etc/subversion/config. If changes
in the user-level file don't appear to work, check the systemwide one
as well.

Hope this helps,
Nathan