“passwd” file stores plain text passwords - how to protect it

2023-08-22 Thread Channakeshavala, Sriharsha via users 
Hello,

Since the “passwd” file stores plain text passwords, it is vulnerable for the 
SVN users.
We have not compiled the subversion 1.14.2 with “cyrus SASL” library and hence 
cannot use SASL authentication mechanisms.

Could you please suggest any other alternative to secure the passwd file ?

Thanks & Regards,
Sriharsha

Re: “passwd” file stores plain text passwords - how to protect it

2023-08-22 Thread Daniel Sahlberg 
Den tis 22 aug. 2023 kl 13:00 skrev Channakeshavala, Sriharsha via users <
users@subversion.apache.org>:

> Hello,
>
>
>
> Since the “passwd” file stores plain text passwords, it is vulnerable for
> the SVN users.
>
> We have not compiled the subversion 1.14.2 with “cyrus SASL” library and
> hence cannot use SASL authentication mechanisms.
>
>
>
> Could you please suggest any other alternative to secure the passwd file ?
>

The following FAQ article on the Subversion website should probably answer
your questions: https://subversion.apache.org/faq.html#plaintext-passwords

Please note that for Subversion 1.12 until 1.14 the default was to disable
the plaintext password cache. In Subversion 1.15 the plaintext password
cache will again be enabled by default.

Kind regards,
Daniel

Re: Subversion sasl authentication fails with openssl3.1

2023-08-22 Thread Daniel Sahlberg 
Den sön 20 aug. 2023 kl 17:14 skrev Fischer, Michael <
michael.fisc...@yale.edu>:

> I have many repositories configured for sasl authentication.  The svn
> client for Mac osx, built using MacPorts, recently stopped working.  I
> first reported the problem to the MacPorts bug list but have been advised
> to report it to the subversion developers.  (See below.)
>
> Here's the error I get when trying to update a working directory.
>
> > svn update
> Updating '.':
> svn: E170013: Unable to connect to a repository at URL '
> svn://ohia.cs.yale.edu/cs414-2022f'
> svn: E170001: SASL authentication error: SASL(-1): generic failure:
> internal error: failed to init cipher 'rc4'
>
> What is the version of Subversion on the above server? What version of
Sasl and OpenSSL?

>
> The problem seems to be that Sasl3.1 is not upwards compatible with
> sasl2.
>

Are you confusing Sasl with OpenSSL here? I believe Sasl is only on version
2.1 while OpenSSL recently released versions 3.0 and 3.1 (there never was
an OpenSSL 2.x).

This causes the Macports build of svn to fail when attempting to log into a
> server configured to use_sasl.  A workaround is to rebuild the openssl3
> port with the command
>
> sudo port upgrade --enforce-variants openssl3 +legacy
>
> I'm guessing, based on the "+legacy" argument, that the server you try to
connect to is using RC4 and since this is deprecated in OpenSSL 3 (see
https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html) you are
unable to connect.

If this assumption is correct, then this is neither a bug in Subversion,
nor in Sasl or OpenSSL. Rather it is a case of mismatching configuration
and software versions between the server and the client. Updating the
server to support newer chiphers should probably resolve the situation.

> I reported this as MacPorts bug #67931
> .  A comment by ryandesign said,
>
>  A port "can't" depend on a variant of another port (see #126). It can use
>  the active_variants 1.1 portgroup, but that requires manual intervention
>  from the user, and prevents the buildbot from automatically creating
>  binary archives of the port.
>
>  Have you reported this problem to the developers of Subversion? If not,
>  please do, and put the URL of the report here.
>
> I am attempting to do so here.  Apparently the email is required before I
> can make a bug report.
>
> Please let me know how to proceed with the bug report.
>

You've done absolutely correct in sending an e-mail here. I assume you have
already seen the guidance on the website (
https://subversion.apache.org/docs/community-guide/issues.html) on why we
don't want anything added to the issue tracker before it has been accepted
as a bug on the mailing list.

Kind regards,
Daniel Sahlberg

Re: passwd file stores plain text passwords - how to protect it

2023-08-22 Thread Bo Berglund 
On Tue, 22 Aug 2023 13:14:25 +0200, Daniel Sahlberg
 wrote:

>Please note that for Subversion 1.12 until 1.14 the default was to disable
>the plaintext password cache. In Subversion 1.15 the plaintext password
>cache will again be enabled by default.

I am using svn a lot on raspberry pi devices and I have now checked the current
version on one of them:

$ svn --version
svn, version 1.14.1 (r1886195)
   compiled Apr  5 2022, 23:23:59 on arm-unknown-linux-gnueabihf

So in order to get back the file cache again I need a version update, right?

Does anyone know when Debian will move ahead to 1.15?
PiOS is based on Debian, so I guess it will be guided by that...

Or is it possible to force a version update via apt?


-- 
Bo Berglund
Developer in Sweden

Re: passwd file stores plain text passwords - how to protect it

2023-08-22 Thread Bo Berglund 
On Tue, 22 Aug 2023 17:38:12 +0200, Bo Berglund  wrote:

>On Tue, 22 Aug 2023 13:14:25 +0200, Daniel Sahlberg
> wrote:
>
>>Please note that for Subversion 1.12 until 1.14 the default was to disable
>>the plaintext password cache. In Subversion 1.15 the plaintext password
>>cache will again be enabled by default.
>
>I am using svn a lot on raspberry pi devices and I have now checked the current
>version on one of them:
>
>$ svn --version
>svn, version 1.14.1 (r1886195)
>   compiled Apr  5 2022, 23:23:59 on arm-unknown-linux-gnueabihf
>
>So in order to get back the file cache again I need a version update, right?
>
>Does anyone know when Debian will move ahead to 1.15?
>PiOS is based on Debian, so I guess it will be guided by that...
>
>Or is it possible to force a version update via apt?

Forgot to say that PiOS ia version bullseye at the moment...


-- 
Bo Berglund
Developer in Sweden

Re: passwd file stores plain text passwords - how to protect it

2023-08-22 Thread Daniel Sahlberg 
Den tis 22 aug. 2023 kl 17:53 skrev Bo Berglund :

> On Tue, 22 Aug 2023 17:38:12 +0200, Bo Berglund 
> wrote:
>
> >On Tue, 22 Aug 2023 13:14:25 +0200, Daniel Sahlberg
> > wrote:
> >
> >>Please note that for Subversion 1.12 until 1.14 the default was to
> disable
> >>the plaintext password cache. In Subversion 1.15 the plaintext password
> >>cache will again be enabled by default.
>

Subversion 1.15 is not even released yet, so I probably jumped the gun
slightly. I should have said that "Plans are that Subversion 1.15, when
released, will again enable the plaintext password store by default".

>
> >I am using svn a lot on raspberry pi devices and I have now checked the
> current
> >version on one of them:
> >
> >$ svn --version
> >svn, version 1.14.1 (r1886195)
> >   compiled Apr  5 2022, 23:23:59 on arm-unknown-linux-gnueabihf
> >
> >So in order to get back the file cache again I need a version update,
> right?
>

Yes, either from your distribution's repository or build your own from the
current trunk.

Otherwise you can store the unencrypted password using the script linked in
the FAQ entry previosuly mentioned (
https://subversion.apache.org/faq.html#plaintext-passwords).


> >
> >Does anyone know when Debian will move ahead to 1.15?
> >PiOS is based on Debian, so I guess it will be guided by that...
>
>
> >Or is it possible to force a version update via apt?
>
> Forgot to say that PiOS ia version bullseye at the moment...
>

That is a question better directed to the distribution, of course after
Subversion 1.15 is actually released.

Kind regards,
Daniel Sahlberg