On Mon, Jan 03, 2011 at 04:19:20PM -0500, Andy Levy wrote: > On Mon, Jan 3, 2011 at 15:56, Nick <nos...@codesniffer.com> wrote: > > On Mon, 2011-01-03 at 11:49 -0500, Mark Phippard wrote: > >> > Apologies in advance if this is covered somewhere, but can someone > >> > explain (or point me to some references on) why using SVN w/ Apache > >> > (HTTPS) is insecure? I've seen some references to plain text > >> password > >> > storage, but I don't see my password on my server. The passwords in > >> my > >> > svnusers files look like hashes, which makes sense because I use the > >> > "-m" option to htpasswd2 when creating them. What am I missing? > >> > >> Yes, it is secure. Nico's issue is that the SVN client will allow the > >> user to cache their password in plaintext locally in their home > >> folder. This is only true for *nix clients though. Windows and OSX > >> clients store the password securely. > > > > I see, thanks. So by "SVN client", are you referring to the command > > line client that's provided by SVN? > > May I ask why the *nix client stores the credentials in plain text? > > Again, I'm open to references which explain it if this has already been > > covered. > > I believe it's because there is no one standard crypto library that > can easily be expected to exist on every *nix system. You can use > Gnome Keyring & KDE Wallet, but you have to explicitly use that option > on the commandline. > > Windows has the Win32 Crypto API built in, and OS X has Keychain. You > know they'll always be there and available, so they're used. IIRC, > Windows was the first to get the crypto for stored passwords, then OS > X in SVN 1.4.
There's an FAQ entry on this, too: http://subversion.apache.org/faq.html#plaintext-passwords Stefan
