How to store passwords?

4 views
Skip to first unread message

Olaf van der Spek

unread,
Aug 20, 2022, 6:20:33 AMAug 20
to us...@subversion.apache.org
Hi,

On a Debian 11 system with Subversion 1.14.1-3+deb11u1 I'm trying to
store passwords.

In /etc/subversion/config I've got:
[auth]
password-stores =

# cat /etc/subversion/servers
[global]
store-passwords = yes
store-plaintext-passwords = yes

But still it's asking for the server every single time. What am I missing?
--
Olaf

Daniel Sahlberg

unread,
Aug 20, 2022, 6:40:28 AMAug 20
to Olaf van der Spek, Subversion
Check the available authentication credential caches:
[[[
$ svn --version
[...]
The following authentication credential caches are available:

* Plaintext cache in /home/daniel/.subversion
* Gnome Keyring
* GPG-Agent
* KWallet (KDE)
]]]

If you are missing the Plaintext cache then your distribution compiled Subversion without the support for storing passwords in the plaintext cache. (The compile-time option changed in Subversion 1.12 to disable the plaintext cache unless explicitly enabled).

This has been a source of many questions and a lot of confusion during the years. Recently, a script was developed that will allow you to store the password even if your svn binary will not. Please be aware of any security implications of storing the password in plaintext.

See https://subversion.apache.org/faq.html#plaintext-passwords for more information including a link to the aforementioned script.

Kind regards,
Daniel

Olaf van der Spek

unread,
Aug 20, 2022, 8:40:38 AMAug 20
to Daniel Sahlberg, Subversion
Op za 20 aug. 2022 om 12:39 schreef Daniel Sahlberg
<daniel.l...@gmail.com>:
>
> Den lör 20 aug. 2022 kl 12:20 skrev Olaf van der Spek <olafv...@gmail.com>:
> Check the available authentication credential caches:
> [[[
> $ svn --version
> [...]
> The following authentication credential caches are available:
>
> * Plaintext cache in /home/daniel/.subversion
> * Gnome Keyring
> * GPG-Agent
> * KWallet (KDE)
> ]]]
>
> If you are missing the Plaintext cache then your distribution compiled Subversion without the support for storing passwords in the plaintext cache. (The compile-time option changed in Subversion 1.12 to disable the plaintext cache unless explicitly enabled).

Right, thanks!
Does it really have to be this hard to store passwords? ;)

I'm running a local svnserve, is there a better way to handle this?

I'll also give the script a try.

Thanks!
--
Olaf

Olaf van der Spek

unread,
Aug 20, 2022, 8:40:43 AMAug 20
to Daniel Sahlberg, Subversion
Op za 20 aug. 2022 om 14:27 schreef Olaf van der Spek <olafv...@gmail.com>:
Hmm:
Traceback (most recent call last):
File "store-plaintext-password.py", line 192, in <module>
main()
File "store-plaintext-password.py", line 188, in main
writeHashFile(authfileName, hash)
File "store-plaintext-password.py", line 128, in writeHashFile
outputHash(fd, dict)
File "store-plaintext-password.py", line 113, in outputHash
for key, val in dict.items():
TypeError: unbound method dict.items() needs an argument


--
Olaf

Nico Kadel-Garcia

unread,
Aug 20, 2022, 2:40:24 PMAug 20
to Olaf van der Spek, Daniel Sahlberg, Subversion
Easy to use and access conflicts with secure from others, especially
the root user.

Have you considered using 'svn+ssh' based access, with ssh-agent
setups? I used those especially with tools like Jenkins, so I could
demand a pass-phrase when starting sensitive tasks.

Daniel Sahlberg

unread,
Aug 22, 2022, 11:20:41 AMAug 22
to Olaf van der Spek, Subversion
Den lör 20 aug. 2022 kl 14:27 skrev Olaf van der Spek <olafv...@gmail.com>:
Op za 20 aug. 2022 om 12:39 schreef Daniel Sahlberg
<daniel.l...@gmail.com>:
>
> Den lör 20 aug. 2022 kl 12:20 skrev Olaf van der Spek <olafv...@gmail.com>:
> Check the available authentication credential caches:
> [[[
> $ svn --version
> [...]
> The following authentication credential caches are available:
>
> * Plaintext cache in /home/daniel/.subversion
> * Gnome Keyring
> * GPG-Agent
> * KWallet (KDE)
> ]]]
>
> If you are missing the Plaintext cache then your distribution compiled Subversion without the support for storing passwords in the plaintext cache. (The compile-time option changed in Subversion 1.12 to disable the plaintext cache unless explicitly enabled).

Right, thanks!
Does it really have to be this hard to store passwords? ;)

Well... yes. I assume it was a rethorical question but I'll answer anyway for the benefit of the list.

There are radically conflicting requirements and priorities between different users. Some want to store the authentication for full in-the-background automation while others won't even allow a software that potentially COULD store authentication credentials unencrypted (and SSH keys are not significantly different than plaintext passwords in this regards, the server setup makes all the difference what you can do if you get hold of the credentials). The difference being how you treat access to ~, if you see it as world readable or if you see it as a secure part of your computer (and in the latter case if you believe all bets are off in case someone has physical access).

I'm running a local svnserve, is there a better way to handle this?

If you have the repository locally (I assume you have RW in the repository folder), then you could checkout using the file:// protocol, leaving the server out of the equation completely.

I'll also give the script a try.

(I'll reply separately to your other e-mail with the script error)

Kind regards,
Daniel

Daniel Sahlberg

unread,
Aug 22, 2022, 11:33:40 AMAug 22
to Olaf van der Spek, Subversion
There was a variable called "dict" in early iterations of the script but it was renamed "hash" at one point but not everywhere. I hadn't tested the script properly after the change. My bad, sorry!

Can you re-download the script and try again?

Kind regards,
Daniel
Reply all
Reply to author
Forward
0 new messages