[CentOS] Unloking gnome keyring on login

Wed Jul 14 09:19:21 UTC 2010
Giulio Troccoli <Giulio.Troccoli at uk.linedata.com>

> > Just to let you know, I use the keyring to store passwords
> for a Subversion repository. The first time, after logging
> in, I use Subversion I am asked for the password to unlock
> the keyring. Then everything goes fine, i.e. I'm not ask for
> the Subversion password.
> Which version of Subversion are you using?


> Just a thought: don't you think you should rather go for a
> Subversion specific mechanism to store the passwords / access
> safely the repositories?
> I can imagine that you are worried about the famous
> limitation that SVN passwords are stored in plaintext on Linux:
> http://help.collab.net/index.jsp?topic=/faq/cachepassword.html
> http://www.linuxforu.com/previews/subversion-16-security-impro
> vements-illustrated/

Subversion is already set up correctly to use the keyring mechanism to store the password. It works. But, the first time I'm asked for the password to unlock the keyring. This is what I am trying to avoid. I don't think this has anything to do with Subversion.

> But maybe, if you control the SVN server config as well, you
> could setup a certificate based auth in Apache (restricted to
> your clients
> IPs) without requiring to use the actual password: your Linux
> client setup would then be as safe as your Linux auth (since
> the certificates would be protected in the .subversion of your users)

I'm not sure I understood you here. This way any user coming from one of those IP will have access to the repository? How would I know who it is though?

> Another approach could be to use an svn+ssh:// access to your
> repository for your server-side Linux users. The problem is
> that it doesn't work well with parallel access. But if this
> is just to start a build from time to time that may be enough...
> (I hope your developers are not working on their code on a
> server from the command line :)

We did start with svn:// access, about 5 years ago when we started using Subversion, but we abandoned it in favour of http://. Honestly, I don't remember what was the problem.

What do you mean by "I hope your developers are not working on their code on a server from the command line" ?

> I was just trying to think on another approach, in case this
> is only for Subversion that you have to go through this pain.
> It feels kind of wrong to use gnome-keyring on the server (I
> use it with pam_keyring on my CentOS workstations, but you
> already tried that).

Most of the work is done on PC, so gnome-keyring is not needed. But some work is done on the server, in personal working copies, and therefore I need a mechanism to store passwords. Because these are company passwords, I used LDAPS to authenticate against the company AD, they need to be encrypted.


Linedata Limited
Registered Office: 85 Gracechurch St., London, EC3V 0AA
Registered in England and Wales No 3475006 VAT Reg No 710 3140 03