Re: “passwd” file stores plain text passwords - how to protect it

[Daniel Sahlberg]

Den ons 23 aug. 2023 kl 06:32 skrev Channakeshavala, Sriharsha <
s.channakeshav...@sap.com>:

> Thanks for the quick response.
>
>
>
> Subversion credential cache is something that is done on the client side.
>
>
>
> But we have an issue storing plain text passwords in the “passwd” on the
> server side.
>
> Could you please suggest on it.
>

I assume you use plain svnserve (ie, the url start with svn:// ). In that
case I don't think it is possible to protect the passwords. You could
switch to mod_svn (in this case the password is hashed) or use svnserve
over SSH (in which case the user is authenticated by the SSH server).

See the SVN book for a detailed description of the different options:
https://svnbook.red-bean.com/nightly/en/svn.serverconfig.html

Kind regards,
Daniel Sahlberg




>
>
> Your help will be much appreciated.
>
>
>
> Thanks,
>
> Sriharsha
>
>
>
> *From:* Daniel Sahlberg 
> *Sent:* 22 August 2023 16:44
> *To:* Channakeshavala, Sriharsha 
> *Cc:* users@subversion.apache.org
> *Subject:* Re: “passwd” file stores plain text passwords - how to protect
> it
>
>
>
> You don't often get email from daniel.l.sahlb...@gmail.com. Learn why
> this is important 
>
> Den tis 22 aug. 2023 kl 13:00 skrev Channakeshavala, Sriharsha via users <
> users@subversion.apache.org>:
>
> Hello,
>
>
>
> Since the “passwd” file stores plain text passwords, it is vulnerable for
> the SVN users.
>
> We have not compiled the subversion 1.14.2 with “cyrus SASL” library and
> hence cannot use SASL authentication mechanisms.
>
>
>
> Could you please suggest any other alternative to secure the passwd file ?
>
>
>
> The following FAQ article on the Subversion website should probably answer
> your questions: https://subversion.apache.org/faq.html#plaintext-passwords
>
>
>
> Please note that for Subversion 1.12 until 1.14 the default was to disable
> the plaintext password cache. In Subversion 1.15 the plaintext password
> cache will again be enabled by default.
>
>
>
> Kind regards,
>
> Daniel
>
>
>

RE: “passwd” file stores plain text passwords - how to protect it

[Channakeshavala, Sriharsha via users]

Thanks for the quick response.

Subversion credential cache is something that is done on the client side.

But we have an issue storing plain text passwords in the “passwd” on the server 
side.
Could you please suggest on it.

Your help will be much appreciated.

Thanks,
Sriharsha

From: Daniel Sahlberg 
Sent: 22 August 2023 16:44
To: Channakeshavala, Sriharsha 
Cc: users@subversion.apache.org
Subject: Re: “passwd” file stores plain text passwords - how to protect it

You don't often get email from 
daniel.l.sahlb...@gmail.com. Learn why this 
is important
Den tis 22 aug. 2023 kl 13:00 skrev Channakeshavala, Sriharsha via users 
mailto:users@subversion.apache.org>>:
Hello,

Since the “passwd” file stores plain text passwords, it is vulnerable for the 
SVN users.
We have not compiled the subversion 1.14.2 with “cyrus SASL” library and hence 
cannot use SASL authentication mechanisms.

Could you please suggest any other alternative to secure the passwd file ?

The following FAQ article on the Subversion website should probably answer your 
questions: https://subversion.apache.org/faq.html#plaintext-passwords

Please note that for Subversion 1.12 until 1.14 the default was to disable the 
plaintext password cache. In Subversion 1.15 the plaintext password cache will 
again be enabled by default.

Kind regards,
Daniel