Author: dsahlberg Date: Wed Mar 3 07:04:00 2021 New Revision: 1887129 URL: http://svn.apache.org/viewvc?rev=1887129&view=rev Log: * site/staging/faq.html: Update the FAQ entry for plaintext passwords
Discussed in users@ http://mail-archives.apache.org/mod_mbox/subversion-users/202103.mbox/%3cCAJT2EHrb1ppSWH--+cL4oiF4=nrpjbsnckff36paztrue2u...@mail.gmail.com%3e Modified: subversion/site/staging/faq.html Modified: subversion/site/staging/faq.html URL: http://svn.apache.org/viewvc/subversion/site/staging/faq.html?rev=1887129&r1=1887128&r2=1887129&view=diff ============================================================================== --- subversion/site/staging/faq.html (original) +++ subversion/site/staging/faq.html Wed Mar 3 07:04:00 2021 @@ -200,9 +200,8 @@ a <tt>file:</tt> URL?</a></li> <li><a href="#hook-debugging">Why aren't my repository hooks working?</a></li> <li><a href="#diff-cmd">Why does my --diff-cmd complain about '-u'? I tried to override it with --extensions, but it's not working.</a></li> -<li><a href="#plaintext-passwords">Ahhh! I just discovered that my - Subversion client is caching passwords in plain-text on disk! - AHHH!</a></li> +<li><a href="#plaintext-passwords">How does Subversion cache credentials + (plaintext and encrypted)</a></li> <li><a href="#hotcopy-large-repos">I can't hotbackup my repository, svnadmin fails on files larger than 2Gb!</a></li> <li><a href="#hidden-log">I cannot see the log entry for the file @@ -3240,48 +3239,101 @@ working copy.</p> <div class="h3" id="plaintext-passwords"> -<h3>Ahhh! I just discovered that my - Subversion client is caching passwords in plain-text on disk! - AHHH! +<h3>How does Subversion cache credentials (plaintext and encrypted)? <a class="sectionlink" href="#plaintext-passwords" title="Link to this section">¶</a> </h3> -<p>Calm down, take a deep breath.</p> +<p>To avoid having to type a password for each server operation, Subversion +can cache credentials.</p> -<p>On Windows, Subversion uses standard -Windows APIs to encrypt the data, so only the user can decrypt the -cached password. -<i>(Since svn 1.2.)</i></p> - -<p>On Mac OS X, Subversion uses the system Keychain -facility to encrypt/store your svn password. -<i>(Since svn 1.4.)</i></p> - -<p>On UNIX/Linux, Subversion supports GNOME Keyring and KWallet, -both of which facilitate storing passwords on disk encrypted. -These programs need to be available at compile-time and and at run-time. -Otherwise, the client will fall back to caching your password in -plaintext, but it will <em>never</em> -cache a password in plaintext without asking first. -<i>(Since svn 1.6.)</i></p> - -<p>On UNIX/Linux, the directory which contains the cached passwords (usually -~/.subversion/auth/) has permissions of 700, meaning only you can read -them.</p> - -<p>However, if you're really worried, you can permanently turn off -password caching. Set 'store-auth-creds = no' in your run-time config file -to disable storing any kind of credentials, or -you can use the more narrowly-defined 'store-passwords = no' (so that -server certs are still cached), or you -can use the even more narrowly-defined 'store-plaintext-passwords = no' -(so that encrypted stores like GNOME Keyring and KWallet will still be used). -More information on password cacheing is in chapter 6 of the <a -href="http://svnbook.red-bean.com/nightly/en/index.html";>"Nightly -Build" Subversion book</a>, under -<a href="http://svnbook.red-bean.com/nightly/en/svn.serverconfig.netmodel.html#svn.serverconfig.netmodel.credcache";> -"Client Credentials Caching".</a></p> +<p>Passwords may have been cached unencrypted by older versions of Subversion +("grandfathered in") and Subversion always supports reading these. Whether and +how Subversion caches new credentials depends on several factors, including the +access method, operating system, compile-time options, and settings in the +client's run-time config file.</p> + +<p>To show the credentials in your cache, use <tt>svn auth</tt>. Credentials +are never removed automatically but may be removed manually using +<tt>svn auth --remove</tt>.</p> + +<h4>Windows</h4> + +<p>On Windows, Subversion uses standard Windows APIs to encrypt the data, so +only the user can decrypt the cached password. <i>(Since Subversion +1.2.)</i></p> + +<h4>macOS (formerly Mac OS X)</h4> + +<p>On macOS, Subversion uses the system Keychain facility to encrypt/store +the user's svn password. <i>(Since Subversion 1.4.)</i></p> + +<h4>UNIX/Linux</h4> + +<p>On UNIX/Linux, Subversion supports up to four credential caches:</p> + +<ul> +<li>GNOME Keyring</li> +<li>KWallet</li> +<li>GPG-Agent</li> +<li>Plaintext cache in ~/.subversion/auth/svn.simple/</li> +</ul> + +<p>To determine which credential caches your Subversion client supports, run +the <tt>svn --version</tt> command and look for "The following authentication +credential caches are available" toward the end of its output.</p> + +<p>GNOME Keyring and KWallet both facilitate storing passwords on disk +encrypted. For Subversion to support these programs (since Subversion 1.6), +they need to be available at compile-time and at run-time.</p> + +<p class="todo">TODO: Discuss GPG-Agent.</p> + +<p>Depending on a compile-time option (--enable-plaintext-password-storage) +and runtime configurations (see below) Subversion <i>may</i> fallback to storing +passwords in the Plaintext cache.</p> + +<p>The default value of --enable-plaintext-password-storage was changed from +True to False in Subversion 1.12, thus disabling the Plaintext cache unless +explicitly enabled.</p> + +<p>The directory which contains cached Plaintext passwords (usually +<tt>~/.subversion/auth/</tt>) has permissions of 700, meaning only the user +(and root) can read them.</p> + +<h4>"Subversion was compiled with support for Plaintext password cache but I +want to prevent writing passwords to the Plaintext cache."</h4> + +<p>The following options are available in your run-time config file +(per user ~/.subversion/config and ~/.subversion/servers, +systemwide /etc/subversion/config and /etc/subversion/servers):</p> + +<ul> +<li>To allow encrypted stores like GNOME Keyring and KWallet, but not the + Plaintext cache, set <tt>store-plaintext-passwords = no</tt>.</li> +<li>To allow caching server certs but not passwords (encrypted or not), set + <tt>store-passwords = no</tt>.</li> +<li>To disable storing any kind of credentials (encrypted or not) set + <tt>store-auth-creds = no</tt>.</li> +</ul> + +<h4>"I want to use the Plaintext cache but it wasn't enabled at compile +time."</h4> + +<p>In response to various questions and requests, the Subversion developers +have written a Python script that can store a plain-text password to the +cache. If you understand the security implications, have ruled out other +alternatives, and still want to cache your password in plain-text on disk, you +may find the script here:</p> + +<p class="todo">TODO: Link to the script.</p> + +<h4>Additional Information</h4> + +<p>More information on password caching is in Chapter 6 of the <a +href="http://svnbook.red-bean.com/en/1.7/index.html";>Subversion book</a>, +under <a href="http://svnbook.red-bean.com/en/1.7/svn.serverconfig.netmodel.html#svn.serverconfig.netmodel.credcache"; +>"Client Credentials Caching".</a></p> </div>
