Subversion 1.6 Security Improvements

  15 comments for “Subversion 1.6 Security Improvements

  1. July 7, 2009 at 10:52 am

    A cool feature of the gnome-keyring support that you forgot to mention is that it can even be used when there is no X environment available, such as when logged into a remote SSH terminal session. In this environment, you need to manually start the gnome-keyring:
    $ export `gnome-keyring-daemon`
    This command can be run from the terminal or in your login script. Before exiting the terminal, or in a logout script you should run:
    CollabNet also provides a command line tool in the CollabNet Subversion RPM for creating and working with your keyring:
    $ keyring_tool
    Keyring tools is application that lets you manage keyrings.
    keyring_tool {–list | -t}
    List all the existing keyring names.
    keyring_tool {–setdef=keyring_name | -s keyring_name}
    Set given keyring as default keyring.
    keyring_tool {–getdef | -g}
    Get keyring name of default keyring.
    keyring_tool {–create=keyring_name | -c keyring_name} [-p password]
    Create a given keyring with a password.
    keyring_tool {–delete=keyring_name | -d keyring_name}
    Delete a given keyring.
    keyring_tool {–lock=keyring_name | -l keyring_name}
    Lock a given keyring.
    keyring_tool {–unlock=keyring_name | -u keyring_name} [-p password]
    Unlock given keyring with a password.
    keyring_tool {–modify=keyring_name | -m keyring_name} [-p password] [-n new_password]
    Modify given keyring, old password with a new password.
    keyring_tool {–info=keyring_name | -i keyring_name}
    Get information of a given keyring.
    keyring_tool {–version | -v}
    print version information.
    keyring_tool {–help | -h}
    Print this help.

  2. Dan Levine
    July 27, 2009 at 5:20 am

    Thanks for the info. One question though: what if one has a need for automated builds with a pseudo user. Take the CruiseControl capability for example. Having the password cached is necessary, but one doesn’t want user-interaction (for opening the keyring).
    Does opening the keyring expose credentials in its unencrypted form? If not, then I guess opening that up under script control would be no big deal. But my guess is it is a big deal and should not be done.

  3. July 27, 2009 at 5:54 am

    Dan Levine, For cruise control, you can open the pseudo user account once and cache the credentials in the keyring, further attempts will take it from the keyring. If you don’t want keyring at all, make use of the ‘–non-interactive’ option.
    We can see the credentials in the unencrypted form, in the gnome-keyring-manager. You can make use of the gnome-keyring APIs in order to get the credentials, but again this is specific to the user and tightly bound with the permissions of the user.

  4. October 20, 2009 at 11:05 am

    Is the collabnet version of the subversion client contain support for the gnome-keyring or would I have to compile subversion from source code? Also which version of the gnome-keyring should work with subversion 1.6 ?

  5. October 21, 2009 at 1:14 am

    antoine, CollabNet Subversion has support for GNOME Keyring, you need not build
    subversion from source if you opt to use CollabNet Subversion rpm (> 1.6.x).
    GNOME Keyring version > 0.6.0 (which I used in my Debian etch box during
    development) should work with subversion 1.6

  6. October 28, 2009 at 8:42 am

    Hello all,
    If the password of the user changed, would the user have to use the keyring_tool to change the password? I was just wondering if the svn client could handle this on it’s own

  7. June 8, 2010 at 6:58 am

    Hey..I love you blog. As you have very useful information with. Password is very important thing in our life as now a days we need a password for operating in bank account, We need password for mailing or chatting with friend. It plays important role in our life.

  8. June 29, 2010 at 3:37 am

    So you need to build from the source in order to save password? That isn’t what you could call user-friendly…

  9. June 30, 2010 at 12:18 am

    So you need to build from the source in order to save password? That isnt what you could call user-friendly…
    This may not be true always. If you have the latest subversion updates supplied by your operating system, then you need not build it from scratch.

  10. August 12, 2010 at 12:29 am

    This blog rocks! I gotta say, that I read a lot of blogs on a daily basis and for the most part, people lack substance but, I just wanted to make a quick comment to say I’m glad I found your blog. Thanks,

  11. August 12, 2010 at 10:05 am

    Hi Senthil,
    I’m trying to get svn and gnome-keyring working with CruiseControl too. I don’t understand your advice to Dan Levine, though. What do you mean by “open the pseudo user account once and cache the credentials in the keyring”? And if a password is necessary, how could the –non-interactive option work?
    I can use the gnome-keyring with svn by itself perfectly. It doesn’t ask for passwords. But then when CruiseControl tries to svn update it errors out because it couldn’t authenticate. The error is
    svn: OPTIONS of ‘repo url’: authorization failed: Could not authenticate to server: rejected Basic Challenge (host)
    Any idea what could be wrong? Thanks!

  12. August 18, 2010 at 12:42 am

    Hello njw-apl,
    The error says, when the server challenges for a password it does not get one, which is apt for the user. This is because the password is not cached in GNOME-Keyring or there is no password available when the server challenges.
    My suggestion to cache the pseudo user password is simple. Identify the user which cruise control uses to talk with the subversion server and then do a ‘svn ls’ on the URL of the subversion repository with the same user that cruise control uses, if GNOME Keyring prompts for a password for this user, then cache it, then see to it that cruise control uses this user whose password is cached manually by you as described above. This should solve the problem, for future runs of cruise control.
    If you plan not to use GNOME Keyring, then you can make use of ‘–non-interactive’ option, but in this case you need to provide the username and password explicitly with the help of ‘–username’ and ‘–password’ options in the command line where you invoke the subversion binary.

  13. rooferkane
    October 17, 2010 at 7:23 pm

    This post is very informative. Hope people with such knowledge as you continues to share it. I’ll bookmark this for reference. All Tex Exteriors

  14. PaulB
    September 30, 2014 at 3:03 am

    Hi, very good comment and useful information. There are two issues I would like to add:
    – there is a long standing bug with KWallet and Subversion which hasn’t been fixed for five years (I didn’t work for me – google for subversion kwallet crash)
    – after adding the configuration for gnome keyring, storing of passwords with the keyring only worked for me after clearing the ~/.subversion/auth directory

Leave a Reply

Your email address will not be published. Required fields are marked *