[CentOS] Unloking gnome keyring on login

Mathieu Baudier mbaudier at argeo.org
Wed Jul 14 10:01:17 UTC 2010


Sorry, if I was not clear: I was just throwing ideas because I will
have soon to face a similar need.
I just wanted to explore if you could avoid using the gnome-keyring at all.
I was not pretending to give you a direct solution for your pb.

> Subversion is already set up correctly to use the keyring mechanism to store the password. It works. But, the first time I'm asked for the password to unlock the keyring. This is what I am trying to avoid. I don't think this has anything to do with Subversion.

Yes, but you have to use gnome-keyring in the first place because of
this SVN password caching issue.

> I'm not sure I understood you here. This way any user coming from one of those IP will have access to the repository? How would I know who it is though?

You would have to issue certificates for the client.
Definitely not a good option for you if you have many users.
Could make sense if these are only "special" users such as build
processes who need to access the SVN repo.

> We did start with svn:// access, about 5 years ago when we started using Subversion, but we abandoned it in favour of http://. Honestly, I don't remember what was the problem.

svn+ssh:// is not (exactly) the same as svn://
- svn:// access a svnserve daemon via the network
- svn+ssh:// is actually more like file:// (but safer), it starts
remotely an svnserve for each call and only for the duration of this
call, reuse the OS credential and access the repository on the
filesystem directly
=> it can be combined with http:// and access the same repository, but
again would only work reasonably if there are not too many such
accesses
=> if your OS users are also managed by LDAP this could offer you a
consistent approach: in the end you would have the same user names in
subversion whether you access it one way or the other

> What do you mean by "I hope your developers are not working on their code on a server from the command line" ?

I was just joking. Usually people develop from their workstation.
Although I have already seen some development being done directly with
vi on headless servers...

> Most of the work is done on PC, so gnome-keyring is not needed. But some work is done on the server, in personal working copies, and therefore I need a mechanism to store passwords. Because these are company passwords, I used LDAPS to authenticate against the company AD, they need to be encrypted.

If you PC are running Linux, then you have the same problem
(unencrypted password).
But I guess your users are on Windows PCs.



More information about the CentOS mailing list