subversion-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache subversion Wiki <>
Subject [Subversion Wiki] Update of "EncryptedPasswordStorage" by CMichaelPilato
Date Tue, 03 Jan 2012 15:55:43 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Subversion Wiki" for change notification.

The "EncryptedPasswordStorage" page has been changed by CMichaelPilato:

Begin documenting Subversion's current credential caching stuff (as a prelude to trying to
determine if there's more we can do).

New page:
= EncryptedPasswordStorage =
This page documents the support provided by the Subversion client layer for caching user credentials
in a cryptographically safe fashion.

{{{#!wiki warning
This document is incomplete!}}}

== What's Offered Today ==
The Subversion core libraries handle credential caching (and automatic recall) using a variety
of mechanisms.  Most of those mechanisms are not implemented by the Subversion codebase itself,
but are offered as services by the operating system or third-party security libraries/subsystems.
 In fact, Subversion's codebase offers but a single general type of credential caching:  plaintext
storage using flat files created in the user's runtime configuration area (under ''$HOME/.subversion/auth/''
on Unix platforms; under ''%APPDATA%/Subversion/auth/'' in Windows).  For many users, this
solution is secure enough. there is but a single user on their machine, or there are several
users with their own home directories whose filesystem-level permissions don't permit one
user to access and read another user's credential caching files.  But some Subversion-using
companies desire more in terms of password caching.  So Subversion also integrates with several
other types of external encrypted storage mechanisms.

=== Windows Cryptographic Services ===
Subversion running on Windows 2000 or newer will use Windows' standard cryptographic services
to encrypt credentials before caching them.  This subsystem of the operating system ties the
cryptographic algorithm to the user's system login credentials, allowing the user to read
and write encrypted credentials without additional prompting or challenges after the initial
login mechanism.

=== Mac OS X Keychain ===
On Mac OS X, Subversion stores passwords in the login keyring (which is managed          
    by the Keychain service).  Similarly to the Windows situation, this keychain is protected
by the               user's account password.  The Keychain service allows users to impose
additional policies, too, such as requiring that the               user's account password
be entered each time the               Subversion password is used.

View raw message