subversion-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache subversion Wiki <>
Subject [Subversion Wiki] Update of "EncryptedPasswordStorage" by CMichaelPilato
Date Tue, 03 Jan 2012 16:07:26 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Subversion Wiki" for change notification.

The "EncryptedPasswordStorage" page has been changed by CMichaelPilato:

Add notes about GNOME Keyring and KDE Wallet.

  This page documents the support provided by the Subversion client layer for caching user
credentials in a cryptographically safe fashion.
  {{{#!wiki warning
- This document is incomplete!}}}
+ This document is incomplete!
+ }}}
  == What's Offered Today ==
  The Subversion core libraries handle credential caching (and automatic recall) using a variety
of mechanisms.  Most of those mechanisms are not implemented by the Subversion codebase itself,
but are offered as services by the operating system or third-party security libraries/subsystems.
 In fact, Subversion's codebase offers but a single general type of credential caching:  plaintext
storage using flat files created in the user's runtime configuration area (under ''$HOME/.subversion/auth/''
on Unix platforms; under ''%APPDATA%/Subversion/auth/'' in Windows).  For many users, this
solution is secure enough. there is but a single user on their machine, or there are several
users with their own home directories whose filesystem-level permissions don't permit one
user to access and read another user's credential caching files.  But some Subversion-using
companies desire more in terms of password caching.  So Subversion also integrates with several
other types of external encrypted storage mechanisms.
@@ -15, +15 @@

  === Mac OS X Keychain ===
  On Mac OS X, Subversion stores passwords in the login keyring (which is managed        
      by the Keychain service).  Similarly to the Windows situation, this keychain is protected
by the               user's account password.  The Keychain service allows users to impose
additional policies, too, such as requiring that the               user's account password
be entered each time the               Subversion password is used.
+ === GNOME Keyring and KDE Wallet ===
+ Many Unix systems provide either the GNOME or KDE graphical windowing environments, both
of which offer services similar to the Mac OS X Keychain.  Generally speaking, these password
managers offer one or more keychains, which each keychain encrypted by some passphrase.  Users
must first unlock the keychains with the passphrase before applications can read and write
from the keychains.  GNOME Keyring offers a small improvement here in that it can automatically
create a default login keychain and use the user's login password as the passphrase for that
keychain.  This allows a single-sign-on sort of behavior (the same way that Mac OS X Keychain
and the Windows Cryptographic Services work).  KDE Wallet has not yet implemented similar
behavior (see

View raw message