Caching passwords on disk?That’s terrible!You should never do that!”Subversion
开发者认识到这种担心的合理性,所以 Subversion 使用操作系统和环境提供的机制来减少泄露这些信息的风险。
下面是在大多数平台上的做法:
windows平台:
On Windows,the Subversion client stores passwords in the %APPDATA%/Subversion/auth/ directory.
On Windows 2000 and later,the standard Windows cryptography services are used toencrypt the password on disk.Because the encryption key is managed by Windows and is tied tothe user’s own login credentials,only the user can decrypt the cached password.(Note that if the user’s Windows account password is reset by an administrator,all of the cached passwords becomeundecipherable.The Subversion client will behave as though they don’t exist,prompting forpasswords when required.)
Mac OS平台:
Similarly,on Mac OS X,the Subversion client stores all repository passwords in the login keyring(managed by the Keychain service),which is protected by the user’s account password.Userpreference settings can impose additional policies,such as requiring that the user’s account passwordbe entered each time the Subversion password is used.
类unix平台:
For other Unix-like operating systems,no standard “keychain”services exist.However,the Subversionclient knows how to store password securely using the “GNOME Keyring”and “KDE Wallet”services.Also,before storing unencrypted passwords in the ~/.subversion/auth/caching area,theSubversion client will ask the user for permission to do so.Note that the auth/caching area is stillpermission-protected so that only the user (owner)can read data from it,not the world at large.The operating system’s own file permissions protect the passwords from other non-administrativeusers on the same system,provided they have no direct physical access to the storage media of thehome directory,or backups thereof.Of course,for the truly paranoid,none of these mechanisms meets the test of perfection.So forthose folks willing to sacrifice convenience for the ultimate in security,Subversion provides variousways of disabling its credentials caching system altogether.
你可以关闭凭证缓存,只需要一个简单的命令,使用参数–no-auth-cache:
$svn commit -F log_msg.txt –no-auth-cacheAuthentication realm:<svn://host.example.com:3690>example realmUsername:joePassword for ‘joe’:Adding newfileTransmitting file data .
通过配置文件禁用:
Or,if you want to disable credential caching permanently,you can edit the config file in yourruntime configuration area and set the store-auth-creds option to no.This will prevent thestoring of credentials used in any Subversion interactions you perform on the affected computer.Thiscan be extended to cover all users on the computer,too,by modifying the system-wide runtimeconfiguration area (described in 第 1.1 节 “配置区布局”).
[auth]store-auth-creds =no
Leave a Reply