“passwd” file stores plain text passwords - how to protect it

27 views
Skip to first unread message

Channakeshavala, Sriharsha via users

unread,
Aug 22, 2023, 7:00:21 AM8/22/23
to us...@subversion.apache.org

Hello,

 

Since the “passwd” file stores plain text passwords, it is vulnerable for the SVN users.

We have not compiled the subversion 1.14.2 with “cyrus SASL” library and hence cannot use SASL authentication mechanisms.

 

Could you please suggest any other alternative to secure the passwd file ?

 

Thanks & Regards,
Sriharsha

Daniel Sahlberg

unread,
Aug 22, 2023, 7:14:45 AM8/22/23
to Channakeshavala, Sriharsha, us...@subversion.apache.org
The following FAQ article on the Subversion website should probably answer your questions: https://subversion.apache.org/faq.html#plaintext-passwords

Please note that for Subversion 1.12 until 1.14 the default was to disable the plaintext password cache. In Subversion 1.15 the plaintext password cache will again be enabled by default.

Kind regards,
Daniel

Bo Berglund

unread,
Aug 22, 2023, 11:38:32 AM8/22/23
to us...@subversion.apache.org
On Tue, 22 Aug 2023 13:14:25 +0200, Daniel Sahlberg
<daniel.l...@gmail.com> wrote:

>Please note that for Subversion 1.12 until 1.14 the default was to disable
>the plaintext password cache. In Subversion 1.15 the plaintext password
>cache will again be enabled by default.

I am using svn a lot on raspberry pi devices and I have now checked the current
version on one of them:

$ svn --version
svn, version 1.14.1 (r1886195)
compiled Apr 5 2022, 23:23:59 on arm-unknown-linux-gnueabihf

So in order to get back the file cache again I need a version update, right?

Does anyone know when Debian will move ahead to 1.15?
PiOS is based on Debian, so I guess it will be guided by that...

Or is it possible to force a version update via apt?


--
Bo Berglund
Developer in Sweden

Bo Berglund

unread,
Aug 22, 2023, 11:53:57 AM8/22/23
to us...@subversion.apache.org
Forgot to say that PiOS ia version bullseye at the moment...

Daniel Sahlberg

unread,
Aug 22, 2023, 1:30:18 PM8/22/23
to bo.be...@gmail.com, us...@subversion.apache.org
Den tis 22 aug. 2023 kl 17:53 skrev Bo Berglund <bo.be...@gmail.com>:
On Tue, 22 Aug 2023 17:38:12 +0200, Bo Berglund <bo.be...@gmail.com> wrote:

>On Tue, 22 Aug 2023 13:14:25 +0200, Daniel Sahlberg
><daniel.l...@gmail.com> wrote:
>
>>Please note that for Subversion 1.12 until 1.14 the default was to disable
>>the plaintext password cache. In Subversion 1.15 the plaintext password
>>cache will again be enabled by default.

Subversion 1.15 is not even released yet, so I probably jumped the gun slightly. I should have said that "Plans are that Subversion 1.15, when released, will again enable the plaintext password store by default".

>
>I am using svn a lot on raspberry pi devices and I have now checked the current
>version on one of them:
>
>$ svn --version
>svn, version 1.14.1 (r1886195)
>   compiled Apr  5 2022, 23:23:59 on arm-unknown-linux-gnueabihf
>
>So in order to get back the file cache again I need a version update, right?

Yes, either from your distribution's repository or build your own from the current trunk.

Otherwise you can store the unencrypted password using the script linked in the FAQ entry previosuly mentioned (https://subversion.apache.org/faq.html#plaintext-passwords).
 
>
>Does anyone know when Debian will move ahead to 1.15?
>PiOS is based on Debian, so I guess it will be guided by that...
>
>Or is it possible to force a version update via apt?

Forgot to say that PiOS ia version bullseye at the moment...

That is a question better directed to the distribution, of course after Subversion 1.15 is actually released.

Kind regards,
Daniel Sahlberg

Daniel Sahlberg

unread,
Aug 23, 2023, 3:08:19 AM8/23/23
to Channakeshavala, Sriharsha, us...@subversion.apache.org
Den ons 23 aug. 2023 kl 06:32 skrev Channakeshavala, Sriharsha <s.channa...@sap.com>:

Thanks for the quick response.

 

Subversion credential cache is something that is done on the client side.

 

But we have an issue storing plain text passwords in the “passwd” on the server side.

Could you please suggest on it.


I assume you use plain svnserve (ie, the url start with svn:// ). In that case I don't think it is possible to protect the passwords. You could switch to mod_svn (in this case the password is hashed) or use svnserve over SSH (in which case the user is authenticated by the SSH server).

See the SVN book for a detailed description of the different options: https://svnbook.red-bean.com/nightly/en/svn.serverconfig.html

Kind regards,
Daniel Sahlberg


 

 

Your help will be much appreciated.

 

Thanks,

Sriharsha

 

From: Daniel Sahlberg <daniel.l...@gmail.com>
Sent: 22 August 2023 16:44
To: Channakeshavala, Sriharsha <s.channa...@sap.com>
Cc: us...@subversion.apache.org
Subject: Re: “passwd” file stores plain text passwords - how to protect it

 

You don't often get email from daniel.l...@gmail.com. Learn why this is important

Channakeshavala, Sriharsha via users

unread,
Aug 23, 2023, 4:37:42 AM8/23/23
to Daniel Sahlberg, us...@subversion.apache.org

Thanks for the quick response.

 

Subversion credential cache is something that is done on the client side.

 

But we have an issue storing plain text passwords in the “passwd” on the server side.

Could you please suggest on it.

 

Your help will be much appreciated.

 

Thanks,

Sriharsha

 

From: Daniel Sahlberg <daniel.l...@gmail.com>
Sent: 22 August 2023 16:44
To: Channakeshavala, Sriharsha <s.channa...@sap.com>
Cc: us...@subversion.apache.org
Subject: Re: “passwd” file stores plain text passwords - how to protect it

 

You don't often get email from daniel.l...@gmail.com. Learn why this is important

Den tis 22 aug. 2023 kl 13:00 skrev Channakeshavala, Sriharsha via users <us...@subversion.apache.org>:

Reply all
Reply to author
Forward
0 new messages