Re: How to test that I configured httpd+Subversion wirh Path Based Authorization in the right way?



On 14.01.2009, Nico Kadel-Garcia <nkadel@xxxxxxxxx> wrote:
On Jan 14, 7:20 am, Andrea Francia
<afran...@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
The problem is about security settings of the Subversion repository
served trough the Apache web server.

Do not use this technique, *EVER*, for accessing Subversion
repositories, except for anonymous access.

The major problem is that the UNIX and Linux default command-line
client, 'svn', stores all passwrds locally in cleartext. The extent to
which this is an incredibly bad idea is stunning. And as the
Subversion administrator, you have no way to prevent your users from
ever using the command line client.

And this is much worse than storing, for example, e-mail passwords in
MUAs or FTP passwords? And many, many other passwords saved here and
there by various clients. And other VCS-es store their passwords
encrypted some way? And, as I understand, you can't configure Subversion
server to use HTTPs transport protocol with client certificates
required by the server, which gives the same effect as SSH with keys,
which you recommend that much.

The point with passwords is not that you should use assymetric keys
instead, but that you should enter your passwords on trusted computers.

--
Secunia non olet.
Stanislaw Klekot
.



Relevant Pages

  • Re: request for comments : slush
    ... You then connect back out via SSH client, ... web client or mail client on that server? ... has your passwords, and uses the same password you used for one to break ... that full session encryption is an unacceptable load, ...
    (comp.security.ssh)
  • Re: Novell/Windows 2003 PW Syncing problem
    ... Every 45 days, Netware forces the users to change passwords which undoes the sync between our windows clients and the server, so our UNC drive mappings no longer work. ... In fact the novell client changes the windows passwords automatically in order to make windows login automatic. ...
    (comp.os.netware.misc)
  • Re: ssh security question
    ... In my case - the client is a windows client and the ssh is embedded into the windows nx client. ... Is there any reason I can't run ssh-keygen on the server and copy the private key to the client - and the public key to the "authorised" directory? ... sniffer can catch your passwords, and it would make it trivial to log in ...
    (SSH)
  • Re: Cant change security policy
    ... I'll try to get the secure passwords accepted by the client, ... While the server was just server and no ... > improved security policy that will go into effect 7 days after the system is ...
    (microsoft.public.windows.server.sbs)
  • Subversion Client
    ... Ich versuche hier auf einem virtuellen Server einen Subversion Client zu installieren. ...
    (de.comp.os.unix.linux.misc)