Re: How to test that I configured httpd+Subversion wirh Path Based Authorization in the right way?



On 14.01.2009, Nico Kadel-Garcia <nkadel@xxxxxxxxx> wrote:
On Jan 14, 7:20 am, Andrea Francia
<afran...@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
The problem is about security settings of the Subversion repository
served trough the Apache web server.

Do not use this technique, *EVER*, for accessing Subversion
repositories, except for anonymous access.

The major problem is that the UNIX and Linux default command-line
client, 'svn', stores all passwrds locally in cleartext. The extent to
which this is an incredibly bad idea is stunning. And as the
Subversion administrator, you have no way to prevent your users from
ever using the command line client.

And this is much worse than storing, for example, e-mail passwords in
MUAs or FTP passwords? And many, many other passwords saved here and
there by various clients. And other VCS-es store their passwords
encrypted some way? And, as I understand, you can't configure Subversion
server to use HTTPs transport protocol with client certificates
required by the server, which gives the same effect as SSH with keys,
which you recommend that much.

The point with passwords is not that you should use assymetric keys
instead, but that you should enter your passwords on trusted computers.

--
Secunia non olet.
Stanislaw Klekot
.