On Thu, Feb 25, 2021 at 2:00 AM Daniel Shahaf <d...@daniel.shahaf.name> wrote:
> Daniel Sahlberg wrote on Wed, Feb 24, 2021 at 23:27:18 +0100: > > Suggestion for new FAQ entry: > > [[[ > > Ahhh! I just discovered that my Subversion client is NOT caching > passwords > > in plain-text on disk! AHHH! > > Having two entry titles that differ only by a "not" isn't a good idea. > > > Calm down, take a deep breath. > > > > This is the opposite of the previous question. After changing the compile > > time default to not store passwords in plain-text there has been a number > > of requests in the mailing lists to store the password. > > "A number of requests on the mailing lists" seems like too fine a level > of abstraction. I think the context basically needs to be "The default > is X but you may want Y; here's how to do that". > > > If you understand the security implications, you have ruled out other > > s/, you/, / > > > alternatives and still want to cache your password in plain-text on disk > > s/ and/, and/ > > > you can use the script > > > https://svn.apache.org/repos/asf/subversion/trunk/contrib/client-side/store-plaintext-password-py > > to store the password in the directory which contains the cached > passwords > > (usually ~/.subversion/auth/). The script can also be used to list any > > existing passwords stored in plain-text. > > This should just point to `svn auth`, surely? > > Should this explicitly say to run the script with --help to get its > usage message? > > > ]]] > > > > I'm also suggesting to change the existing FAQ entry (Ahhh! I just > > discovered that my Subversion client is caching passwords in plain-text > on > > disk! AHHH!) to mention the changed compile time default since 1.12 to > not > > store plain-text passwords: > > > > [[[ > > s/Otherwise, the client will fall back/Otherwise, the client can fall > back/ > > > > Since svn 1.12 the compile time default has been to disable storing new > > passwords in plain-text, but old passwords can still be used. Certain > > distributions may also have selected to use the compile time option to > > enable plain-text password storage. > > Spell out that "old" passwords means passwords already cached on disk > ("grandfathered") — as opposed to, say, passwords that had been changed. > > The wording "Certain distributions may…" sounds like indirect > finger-pointing. Why not s/speculation/fact/: a compile-time option to > enable plaintext passwords storage is provided and may have been > selected by whoever built the binaries you're using (the term "distro" > doesn't capture VisualSVN and TortoiseSVN). > > > s/However .*/In case Subversion is compiled with support for storing > > plain-text passwords, you can disable it in your run-time config file by > > setting 'store-plaintext-passwords = no' (so that encrypted stores like > > GNOME Keyring and KWallet will still be used - this is already done in at > > least one distribution which has selected to enable the plain-text > password > > storage in svn 1.12). If you want to disable storing any kind of > > credentials you may instead set 'store-auth-creds = no', or you can use > the > > more narrowly-defined 'store-passwords = no' (so that server certs are > > still cached). More information on password cacheing is in chapter 6 of > the > > "Nightly Build" Subversion book, under "Client Credentials Caching"./ > > Is the information only available in the nightly build? If not, > s/"Nightly Build"//. > > > ]]] > > > > The "Since svn 1.12..." should probably go in the end of the first "On > > UNIX/Linux" section, after "(Since svn 1.6.)" > > At this point, a «svn diff -x-U10» unidiff might be easier for everyone. > > By the way, how about changing "if you're really worried" in the > preëxisting text. This phrasing crosses the line from discussing the > reader's risk assessment to discussing their mental state. > May I propose to have just one FAQ entry that simultaneously would answer: * "what alternatives to plaintext caching are there?" * "plaintext caching is supported but I want to *prevent* it" * "plaintext caching is not supported but I want to use it anyway" I took the FAQ entry we have right now, expanded it, fixed a few mistakes, updated a few out-of-date things, incorporated some of dsahlberg's text, incorporated some of danielsh's feedback, added new information, and now the following bears little resemblance to any of the above... But I've introduced some flaws, but I'm out of time for the day to fix them. Please feel free to edit/reorganize/spindle/mutilate!! Notes: INSTALL doesn't seem to document what is needed for Subversion to support GPG-Agent on disk. [[[ <div class="h3" id="plaintext-passwords"> <h3>Password caching in plain-text on disk <a class="sectionlink" href="#plaintext-passwords" title="Link to this section">¶</a> </h3> <p>To avoid having to type a password for each server operation, Subversion can cache credentials.</p> <p>Whether and how Subversion caches credentials depends on several factors, including the operating system, compile-time options, and settings in the client's run-time config file.</p> <p>On some operating systems and configurations, Subversion can cache passwords on disk in plain-text. Some users want this, while others want to disallow it. This FAQ entry summarizes how credential caching works and attempts to answer both of these questons:</p> <ul> <li>How to <b>prevent</b> caching passwords on disk in plain-text (with various alternatives provided), and</li> <li>How to cache passwords on disk in plain-text</li> </ul> <h4>Windows</h4> <p>On Windows, Subversion uses standard Windows APIs to encrypt the data, so only the user can decrypt the cached password. <i>(Since Subversion 1.2.)</i></p> <h4>macOS (formerly Mac OS X)</h4> <p>On macOS, Subversion uses the system Keychain facility to encrypt/store the user's svn password. <i>(Since Subversion 1.4.)</i></p> <h4>UNIX/Linux</h4> <p>On UNIX/Linux, Subversion supports up to four credential caches:</p> <ul> <li>GNOME Keyring</li> <li>KWallet</li> <li>GPG-Agent</li> <li>Plaintext cache in ~/.subversion</li> </ul> <p>To determine which credential caches your Subversion client supports, run the <tt>svn --version</tt> command and look for "The following authentication credential caches are available" toward the end of its output.</p> <p>GNOME Keyring and KWallet both facilitate storing passwords on disk encrypted. For Subversion to support these programs (since Subversion 1.6), they need to be available at compile-time and at run-time. Otherwise, Subversion <i>may</i> fallback to storing passwords in the Plaintext cache, if support for that is built in; see below.</p> <p class="todo">TODO: Discuss GPG-Agent.</p> <p>On UNIX/Linux, the Plaintext cache is always supported for <b>reading</b>, but support for <b>writing</b> new passwords to the cache depends on build time configuration. Since Subversion 1.12, the default is <b>not</b> to support writing new passwords to the Plaintext cache, unless specifically enabled at build time, but Subversion will continue to use any previously cached passwords that are "grandfathered in."</p> <p>The directory which contains the cached passwords (usually <tt>~/.subversion/auth/</tt>) has permissions of 700, meaning only the user (and root) can read them.</p> <h4>"I want to prevent writing passwords to the Plaintext cache!"</h4> <p>The following options are available in your run-time config file:</p> <ul> <li>To allow encrypted stores like GNOME Keyring and KWallet, but not the Plaintext cache, set <tt>store-plaintext-passwords = no</tt>. <li>To allow caching server certs but not passwords (encrypted or not), set <tt>store-passwords = no</tt>.</li> <li>To disable storing any kind of credentials (encrypted or not) set <tt>store-auth-creds = no</tt>.</li> </ul> <h4>"I want to use the Plaintext cache but it wasn't enabled at build time!"</h4> <p>If your Subversion client was not built to cache passwords in plain-text, note that although it will not <i>save</i> new passwords to the cache, it will <i>use</i> any passwords that are already stored there.</p> <p>In response to various questions and requests, the Subversion developers have written a Python script that can store a plain-text password to the cache. If you understand the security implications, have ruled out other alternatives, and still want to cache your password in plain-text on disk, you may find the script here:</p> <p class="todo">TODO: Link to the script.</p> <h4>Additional Information</h4> <p>More information on password caching is in chapter 6 of the <a href="http://svnbook.red-bean.com/en/1.7/index.html">Subversion book</a>, under <a href=" http://svnbook.red-bean.com/en/1.7/svn.serverconfig.netmodel.html#svn.serverconfig.netmodel.credcache " >"Client Credentials Caching".</a></p> </div> ]]] Cheers, Nathan