Re: How to test that I configured httpd+Subversion wirh Path Based Authorization in the right way?

On 15.01.2009, Nico Kadel-Garcia <nkadel@xxxxxxxxx> wrote:
On Jan 14, 6:20 pm, "Stachu 'Dozzie' K."
<doz...@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 14.01.2009, Nico Kadel-Garcia <nka...@xxxxxxxxx> wrote:

On Jan 14, 7:20 am, Andrea Francia
<afran...@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
The problem is about security settings of the Subversion repository
served trough the Apache web server.

Do not use this technique, *EVER*, for accessing Subversion
repositories, except for anonymous access.

The major problem is that the UNIX and Linux default command-line
client, 'svn', stores all passwrds locally in cleartext. The extent to
which this is an incredibly bad idea is stunning. And as the
Subversion administrator, you have no way to prevent your users from
ever using the command line client.

And this is much worse than storing, for example, e-mail passwords in
MUAs or FTP passwords? And many, many other passwords saved here and
there by various clients. And other VCS-es store their passwords
encrypted some way? And, as I understand, you can't configure Subversion
server to use HTTPs transport protocol with client certificates
required by the server, which gives the same effect as SSH with keys,
which you recommend that much.

FTP is amazingly strongly recommended against in any reasonably secure
environment, because the passwords are *transmitted* in the clear. The
fact that many MUA's store passwords in cleartext, such as fetchmail
and many poorly made MUA's,

Poorly. So how would you made MUA so it's *usable* and
_secure in your opinion_?

is no use for repeating the behavior for
the reference implementation of a source control system: it's not even
peer pressure, it's just a really bad example to follow. Many MUA's do
this correctly, by providing some local locking of the passwords.

Usable, I said.

There is no excuse, however, for deliberately providing a mechanism
that encourages this when another far more secure method is
available.

What kind of security is it? Storing assymetric keys? Maybe encrypted
with passwords? And how does it differ

The point with passwords is not that you should use assymetric keys
instead, but that you should enter your passwords on trusted computers.

These are not merely *entered* on trusted computers. They are *stored
in cleartext* on arbitrary environments, which is a much, much, much
bigger security problem. Even a computer secure against online
monitoring or keylogging may be insecure against network shares or
backups of home directories, and that is a whole separate class of
security problem.

Network shares are provided by the file server, not by the client.
It's that simple.

What do you mean saying "online monitoring"? Sniffing? The protocol
which gives you possibility of sniffing out someone's password actually
always gives you the ability to tamper its connection and you should
look for different protocol giving you the same. So sniffing is no
argument, too.

--
Secunia non olet.
Stanislaw Klekot
.

Relevant Pages

  • Re: request for comments : slush
    ... You then connect back out via SSH client, ... web client or mail client on that server? ... has your passwords, and uses the same password you used for one to break ... that full session encryption is an unacceptable load, ...
    (comp.security.ssh)
  • Re: Novell/Windows 2003 PW Syncing problem
    ... Every 45 days, Netware forces the users to change passwords which undoes the sync between our windows clients and the server, so our UNC drive mappings no longer work. ... In fact the novell client changes the windows passwords automatically in order to make windows login automatic. ...
    (comp.os.netware.misc)
  • Re: ssh security question
    ... In my case - the client is a windows client and the ssh is embedded into the windows nx client. ... Is there any reason I can't run ssh-keygen on the server and copy the private key to the client - and the public key to the "authorised" directory? ... sniffer can catch your passwords, and it would make it trivial to log in ...
    (SSH)
  • Re: Cant change security policy
    ... I'll try to get the secure passwords accepted by the client, ... While the server was just server and no ... > improved security policy that will go into effect 7 days after the system is ...
    (microsoft.public.windows.server.sbs)
  • Re: How to test that I configured httpd+Subversion wirh Path Based Authorization in the right way?
    ... client, 'svn', stores all passwrds locally in cleartext. ... MUAs or FTP passwords? ... And other VCS-es store their passwords ...
    (comp.os.linux.security)