Last month, while discussing some of the new and significant features available in Subversion 1.6, we talked a little bit about the security features. This month we’ll concentrate exclusively on security improvements.
Warning when passwords are cached in plain text
The Subversion client always had capabilities to cache passwords provided by the user in the ~/.subversion directory in *NIX systems. Unfortunately, these passwords were cached in plain text form, which the user is not explicitly intimated about. Subversion 1.6 throws a prompt before storing passwords in plain text if it is unable to locate a mechanism to encrypt passwords provided by the operating system. This is illustrated as follows:
$ svn co http://localhost/svn/repos wc Authentication realm: <http://localhost:80> TEST SVN repository Password for 'stylesen': ----------------------------------------------------------------------- ATTENTION! Your password for authentication realm: <http://localhost:80> TEST SVN repository can only be stored to disk unencrypted! You are advised to configure your system so that Subversion can store passwords encrypted, if possible. See the documentation for details. You can avoid future appearances of this warning by setting the value of the 'store-plaintext-passwords' option to either 'yes' or 'no' in '/home/stylesen/.subversion/servers'. ----------------------------------------------------------------------- Store password unencrypted (yes/no)? yes Checked out revision 0. $
The default behaviour is to prompt the user if passwords are going to be stored in plain text. If you don’t want to be prompted each time, then you can opt to specify this information in the Subversion servers configuration file, either globally or on a per-server basis, with the following parameters:
Globally,
[global] store-passwords = yes store-plaintext-passwords = yes
Per server,
[groups] group1 = *.collab.net othergroup = *.example.com [group1] store-passwords = yes store-plaintext-passwords = yes [othergroup] store-passwords = no store-plaintext-passwords = yes
We already have mechanisms built in Subversion to cache passwords in encrypted form using the wincrypt API in Windows and Keychain services in Mac OS.
Caching SSL client certificate passphrases
The new version provides a way to cache SSL client certificate passphrases also. Previously, you had an option to specify the client certificate passphrase in the servers file, where you needed to hard-code the passphrase for each SSL client certificate with the parameter ssl-client-cert-pp. Now Subversion automatically caches this for each certificate. This feature is analogous to caching passwords, where you are prompted before storing the passphrases in plain text, as explained in the above section. You can also have control over the plain text passphrase caching with the following parameters in the Subversion servers file:
store-ssl-client-cert-pp = (yes/no ) store-ssl-client-cert-pp-plaintext = (yes/no)
The following code illustrates caching of plain text passphrases:
$ svn co https://localhost/svn/repos wc Authentication realm: https://localhost:443 Client certificate filename: /home/stylesen/stylesen.p12 Passphrase for '/home/stylesen/stylesen.p12': ----------------------------------------------------------------------- ATTENTION! Your passphrase for client certificate: /home/stylesen/stylesen.p12 can only be stored to disk unencrypted! You are advised to configure your system so that Subversion can store passphrase encrypted, if possible. See the documentation for details. You can avoid future appearances of this warning by setting the value of the 'store-ssl-client-cert-pp-plaintext' option to either 'yes' or 'no' in '/home/stylesen/.subversion/servers'. ----------------------------------------------------------------------- Store passphrase unencrypted (yes/no)? yes Checked out revision 0.
Encrypted password/passphrase caching
Version 1.6 provides an easy way in which passwords/passphrases can be cached in an encrypted form in *NIX systems. If you are a GNOME user and want to store Subversion passwords in encrypted form, then you can use the GNOME Keyring to do so. KDE users can make use of KWallet. In order to use either of these, the Subversion binaries must be compiled with the option for GNOME Keyring or KWallet support. The password stores that must be used can be configured by specifying it in Subversion config at ~/.subversion/config.
[auth] ### Set password stores used by Subversion. They should be ### delimited by spaces or commas. The order of values determines ### the order in which password stores are used. ### Valid password stores: ### gnome-keyring (Unix-like systems) ### kwallet (Unix-like systems) ### keychain (Mac OS X) ### windows-cryptoapi (Windows) password-stores = gnome-keyring , kwallet
In order to enable Subversion to cache passwords in GNOME Keyring we need to pass the following parameter to the configure script while compiling Subversion source:
--with-gnome-keyring
The above requires GNOME Keyring libraries available in your operating system, failing which Subversion falls back to caching passwords unencrypted. Once you have Subversion binary code compiled with GNOME Keyring support, the passwords are automatically cached in Keyring, provided it is unlocked. If the GNOME Keyring is locked, you’ll get a prompt to unlock it. Once unlocked, the password will get stored in Keyring. A sample run is as follows:
$ svn co http://localhost/svn/repos wc Password for ‘default’ GNOME keyring: Authentication realm: <http://localhost:80> TEST SVN repository Password for ‘stylesen’: Checked out revision 0. $ svn co http://localhost/svn/repos wc Checked out revision 0. $
KDE can also make use of KWallet in order to store passwords in encrypted form. In order to use KWallet, the Subversion binaries must be compiled with the following option:
--with-kwallet
Subversion is a widely used version control system in many free software projects and corporate environments. With its new features and improvements, users will benefit from the ease with which they can use it. The latest release (version 1.6.1) of the source can be downloaded from subversion.tigris.org. If you want Subversion binaries for different platforms, visit open.collab.net.
