Monday, April 22, 2013

Using gnome-keyring to avoid storing unencrypted passwords (Ubuntu 12.10)

I finally got around to figuring out how to avoid the pesky

-----------------------------------------------------------------------
ATTENTION!  Your password for authentication realm:

   <http://xxx:80> My Subversion server

can only be stored to disk unencrypted!  You are advised to configure
your system so that Subversion can store passwords encrypted, if
possible.  See the documentation for details.

You can avoid future appearances of this warning by setting the value
of the 'store-plaintext-passwords' option to either 'yes' or 'no' in
'/home/myself/.subversion/servers'.
-----------------------------------------------------------------------

As usual, stackoverflow.com and superuser.com provided very useful information, and in my specific case (Ubuntu 12.10) it turned out to be really easy since we can use the GNOME keyring more or less out-of-the-box. First step, modify .subversion/config like this:

store-passwords = yes
store-plaintext-passwords = no
password-stores = gnome-keyring

Second step, export the GNOME keyring settings in your shell init script.

export `gnome-keyring-daemon`

Third step, delete the .subversion/config/auth directory to remove any passwords stored in plaintext.

rm -r ~/.subversion/auth

Now, when you try to do an svn update, you should be prompted to login to Subversion and (probably) to your GNOME keyring:

$ svn update
Updating '.':
Authentication realm:  My Subversion server
Password for 'myself': 
Password for 'login' GNOME keyring: 
At revision 1234.

To convince yourself that there is no locally stored password, you can open the files (there is probably only one) in .subversion/auth. The filename is a hash, so you will have to lookup the actual filename in your directory. You should see something like this:

~/.subversion $ cat auth/svn.simple/XXX
K 8
passtype
V 13
gnome-keyring
K 15
...

Note that the passtype is now gnome-keyring.

No comments: