subversion-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache subversion Wiki <comm...@subversion.apache.org>
Subject [Subversion Wiki] Update of "EncryptedPasswordStorage" by CMichaelPilato
Date Fri, 13 Jan 2012 19:05:17 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Subversion Wiki" for change notification.

The "EncryptedPasswordStorage" page has been changed by CMichaelPilato:
http://wiki.apache.org/subversion/EncryptedPasswordStorage?action=diff&rev1=9&rev2=10

Comment:
Mention the new --disable-plaintext-password-storage `configure' option.

  This page documents the support provided by the Subversion client layer for caching user
credentials in a cryptographically safe fashion, and provides a workspace for contributions
regarding how that support can be expanded and simplified for more widespread general use.
  
  == What's Offered Today ==
- The Subversion core libraries handle credential caching (and automatic recall) using a variety
of mechanisms.  Most of those mechanisms are not implemented by the Subversion codebase itself,
but are offered as services by the operating system or third-party security libraries/subsystems.
 In fact, Subversion's codebase offers but a single general type of credential caching:  plaintext
storage using flat files created in the user's runtime configuration area (under ''$HOME/.subversion/auth/''
on Unix platforms; under ''%APPDATA%/Subversion/auth/'' in Windows).  For many users, this
solution is secure enough. there is but a single user on their machine, or there are several
users with their own home directories whose filesystem-level permissions don't permit one
user to access and read another user's credential caching files.  But some Subversion-using
companies desire more in terms of password caching.  So Subversion also integrates with several
other types of external storage mechanisms.
+ The Subversion core libraries handle credential caching (and automatic recall) using a variety
of mechanisms.  Most of those mechanisms are not implemented by the Subversion codebase itself,
but are offered as services by the operating system or third-party security libraries/subsystems.
 In fact, Subversion's codebase offers but a single general type of credential caching:  plaintext
storage using flat files created in the user's runtime configuration area (under ''$HOME/.subversion/auth/''
on Unix platforms; under ''%APPDATA%/Subversion/auth/'' in Windows).
+ 
+ {{{#!wiki note
+ In 1.8-dev, Subversion's configure script accepts a --disable-plaintext-password-storage
option to bypass the logic which stores plaintext passwords and client certificate passphrases.
+ }}}
+ For many users, this solution is secure enough. there is but a single user on their machine,
or there are several users with their own home directories whose filesystem-level permissions
don't permit one user to access and read another user's credential caching files.  But some
Subversion-using companies desire more in terms of password caching.  So Subversion also integrates
with several other types of external storage mechanisms.
  
  === Windows Cryptographic Services ===
  Subversion running on Windows 2000 or newer will use Windows' standard cryptographic services
to encrypt credentials before caching them.  This subsystem of the operating system ties the
cryptographic algorithm to the user's system login credentials, allowing the user to read
and write encrypted credentials without additional prompting or challenges after the initial
login mechanism.

Mime
View raw message