Google Site Search


Wednesday, December 9, 2009

Subversion caches clear text passwords

If you are a subversion/svn user, then you may not be aware of this. By default, subversion caches your password to the repositories under the $HOME/.subversion/auth/svn.simple directory in one or more files with names that match some arbitrary strings.

You need to do the following:
1) Delete all the files under $HOME/.subversion/auth/svn.simple
2) In the $HOME/.subversion/config file

uncomment the
store-passwords = no

The documentation says:
### Set store-passwords to 'no' to avoid storing passwords in the
### auth/ area of your config directory. It defaults to 'yes'.
### Note that this option only prevents saving of *new* passwords;
### it doesn't invalidate existing passwords. (To do that, remove
### the cache files by hand as described in the Subversion book.)

Have a safe source control system.

Disadvantage of not caching
You will have to enter the password more frequently.

Related Issues:
There are similar issues with Maven. You need to provide clear text passwords to your repositories in the settings.xml file

Additional Notes from Colleagues:

If you are using Fedora and have the subversion-gnome package installed,
subversion will store passwords in the GNOME keyring. The equivalent
package for storing passwords in the KDE wallet is subversion-kde.

Only if you do not have these packages will subversion store clear text
passwords, but it will warn you about it and recommend installing the
keyring support. Fedora users might want to double check whether they
have the aforementioned package installed. I'm sure distros other than
Fedora provide this feature as well.

It does not seem to be the case with Mac OS, it seems to be linked to the keychain somehow.
That being said, if someone has root access to my machine, it shouldn't be too much of a problem to open keychain.

- Emmanuel


Flavia Rainone said...

Thanks for the tip, Anil!

Randall said...

If you're on OS X, you can simply remove the "~/.subversion/auth" directory, and though SVN will prompt for your password the next time it's needed, Keychain will remember the password and will not store it under "auth".

Of course, you may want to first rename the "auth" folder, try SVN, and remove the old directory when you see SVN use your keychain.

BTW, Maven version 2.1.0 supports encrypted passwords.