Skip to main content
Enterprise Agile Planning Image

This post is from the CollabNet VersionOne blog and has not been updated since the original publish date.

Last Updated Jul 06, 2009 — Enterprise Agile Planning expert

Subversion 1.6 Security Improvements

Enterprise Agile Planning

When you use softwares which requires a username and password to be keyed in every time you access some resource, it becomes a pain. On the other hand if that software is capable of remembering your username and password, then it is a great advantage. But what if the username and password which is remembered by this software is stored in plaintext at some location in your system? Isn’t it a security risk? Of course yes, specially when you don’t know that your passwords are stored in plaintext. This was the case with subversion till 1.6.0, but now we have greater security improvements to subversion 1.6 which aids us with a lot of features to avoid such a scenario.

Warn caching of plaintext passwords

From the past subversion had capabilities of caching passwords, but in systems which does not have a good method of storing these passwords in encrypted form, subversion silently cached passwords in plaintext, which was bad, since the user is not aware of this fact, specially the new users of subversion. On one fine day when they come to know about this fact, they are disappointed. So we thought of solving this in the subversion community since this was a common problem reported by many users in the mailing list. Subversion 1.6 behaves in a different way when it is about to cache passwords in plaintext, as you can see from the following sample run,

$ svn co http://localhost/svn/repos wc Authentication realm: <http://localhost:80> TEST SVN repository Password for 'stylesen': ----------------------------------------------------------------------- ATTENTION! Your password for authentication realm: <http://localhost:80> TEST SVN repository can only be stored to disk unencrypted! You are advised to configure your system so that Subversion can store passwords encrypted, if possible. See the documentation for details. You can avoid future appearances of this warning by setting the value of the 'store-plaintext-passwords' option to either 'yes' or 'no' in '/home/stylesen/.subversion/servers'. ----------------------------------------------------------------------- Store password unencrypted (yes/no)? yes Checked out revision 0. $

Thus the user is aware that his password is cached in plaintext. What if the user decides not to store the passwords in plaintext, but don’t want to get prompted each time? In such a case the user can play around with the following options in subversion servers file, ie., ‘~/.subversion/servers’

[global] store-passwords = yes store-plaintext-passwords = yesPer server basis,
[groups] group1 = * othergroup = * [group1] store-passwords = yes store-plaintext-passwords = yes [othergroup] store-passwords = no store-plaintext-passwords = yes

Oh wait, all the above is specific to *NIX users, we already have mechanisms built in Subversion to cache passwords in encrypted form using wincrypt API in windows machines and Keychain services in Mac OS.

Okie, that is cool, but yet *NIX users like me are not happy, since we don’t have a proper mechanism in place which stores passwords in an encrypted form. That is not true anymore, since 1.6 comes with support to cache passwords/passphrases in an encrypted form in GNOME Keyring or Kwallet depending upon the desktops they use. The password store could also be chosen with the following parameter in the subversion config file ie., ‘~/.subversion/config’ as follows,

[auth] ### Set password stores used by Subversion. They should be ### delimited by spaces or commas. The order of values determines ### the order in which password stores are used. ### Valid password stores: ### gnome-keyring (Unix-like systems) ### kwallet (Unix-like systems) ### keychain (Mac OS X) ### windows-cryptoapi (Windows) password-stores = gnome-keyring , kwallet

GNOME Keyring

In order to enable Subversion to cache passwords in GNOME Keyring we need to pass the following parameter to the “configure” script while compiling Subversion source.


The above requires GNOME Keyring libraries available in the operating system, failing which Subversion falls back to caching passwords unencrypted. Once you have Subversion binary compiled with GNOME Keyring support, the password is automatically cached in the Keyring, provided it is unlocked. CollabNet subversion binaries are compiled with GNOME Keyring support which you can use right away, to get this feature.

What if my GNOME Keyring is locked? Subversion provides a way to solve that too,

$ svn co http://localhost/svn/repos wc Password for 'default' GNOME keyring: Authentication realm: <http://localhost:80> TEST SVN repository Password for 'stylesen': Checked out revision 0. $ svn co http://localhost/svn/repos wc Checked out revision 0. $


KDE users are not left alone, you can make use of KWallet in order to store passwords in encrypted form. In order to use KWallet the Subversion binaries must be compiled with the following option
SSL client certificate passphrase caching

As we know, subversion was good at caching passwords, but it didn’t had any mechanism to cache SSL client certificate passphrases, may be this was never thought, since the users were limited. The only way to avoid entering client certificate passphrases each time was to hard code it in the servers file with the parameter ssl-client-cert-pp, which is ugly! But now in 1.6 we use the same infrastructure as above to cache SSL client certificate passphrases.
store-ssl-client-cert-pp = (yes/no ) store-ssl-client-cert-pp-plaintext = (yes/no)
Aren’t you curious to watch this in action? Here we go,
$ svn co https://localhost/svn/repos wc Authentication realm: https://localhost:443 Client certificate filename: /home/stylesen/stylesen.p12 Passphrase for '/home/stylesen/stylesen.p12': ----------------------------------------------------------------------- ATTENTION! Your passphrase for client certificate: /home/stylesen/stylesen.p12 can only be stored to disk unencrypted! You are advised to configure your system so that Subversion can store passphrase encrypted, if possible. See the documentation for details. You can avoid future appearances of this warning by setting the value of the 'store-ssl-client-cert-pp-plaintext' option to either 'yes' or 'no' in '/home/stylesen/.subversion/servers'. ----------------------------------------------------------------------- Store passphrase unencrypted (yes/no)? yes Checked out revision 0.
Thus Subversion 1.6.x brings in lot of security improvements which enhances and gives a better user experience.

More from the Blog

View more
Apr 08, 2021

Making IT services more agile

Enterprise Agile Planning
The agile revolution completely transformed how we create digital prod ...
Read More
Feb 14, 2021

Reflecting on the 20th anniversary of the Agile Manifesto

Enterprise Agile Planning
Over the past 20 years, it’s been amazing to watch an idea from ...
Read More
Feb 08, 2021

How does agile apply to an entire organization?

Enterprise Agile Planning
Before we dive into the main subject of this blog post, it is importan ...
Read More
Feb 03, 2021

It took a pandemic to realize why digital transformation actually matters

Enterprise Agile Planning
Before anyone had ever heard of COVID-19, businesses across the globe ...
Read More
Contact Us