Subversion client software have traditionally stored (i.e. cached) plaintext user passwords, meaning that you password is accessible by anyone who can access files in your ~/.subversion/auth folder. With Subversion 1.6, however, support for KWallet and GNOME Keyring have been added, allowing for using these to store your subversion password encrypted. Of course it’s possible to turn off password caching, but then you’ll have to type in your password for most svn commands you issue.

As I’m using Gnome based environments, I’ll outline the steps needed to get svn client and Gnome keyring working within a SSH session, without needing to login in using the graphical interface. I’m sure much of it applies to KWallet too, but I haven’t tested this.

To have your svn client use the password stored in GNOME Keyring your svn client must be compiled with this this option. You can compile the svn client yourself, or simply download it from http://www.open.collab.net/downloads/subversion/.

Update 2011-06-01: The package subversion-gnome shipped with RHEL 6 provides a svn client compiled with GNOME keyring support. So for RHEL 6 users you can use this svn client instead of the one from CollabNet. I’ve not yet tested the RHEL 6 subversion-gnome client myself, but my guess it that it works the same way as the CollabNet svn client.

Setting up the svn client and Gnome keyring

After installing the svn client, we’ll need to tell svn that it should use a keyring for storing password. Make sure you have this line in ~/.subversion/config:

1
password-stores = gnome-keyring

Then we’ll tell svn to store password, but _not_ cleartext password. Make sure these lines are present in ~/.subversion/servers under the section “global”:

1
2
store-passwords = yes
store-plaintext-passwords = no

Next, we’ll create a keyring to hold our svn password. It’s probably possible to use the default keyring for this, but in my example we’ll be using a dedicated one. For this task we’ll be using the excellent tool shipped with the OpenCollab svn client – _keyring_tool_ (you’ll be asked to type in a password, which can be any password you’d like to use):

1
2
3
[root@server ~]# /opt/CollabNet_Subversion/bin/keyring_tool --create=svn
Enter password for 'svn' keyring:
Created 'svn' keyring.

To set this new keyring as our default keyring, we’ll issue this command:

1
2
[root@server ~]# /opt/CollabNet_Subversion/bin/keyring_tool --setdef=svn
Set 'svn' keyring as default.

This completes the inital setup of the svn client and Gnome keyring. Now, let’s see how we can start using it.

Typical workflow

In later SSH sessions, to get things up and running we’ll need to make sure the Gnome keyring daemon is started. We can either issue this command in the shell, or add it to a login script:

1
[root@server ~]# export <code>gnome-keyring-daemon


That’s all we need to do to get Gnome keyring ready for storing encrypted svn client passwords. So let’s start using svn. Note that it’s important that you use the svn client shipped with the above software, and not the svn client shipped with you distribution (unless it’s compiled to support Gnome keyring):

1
2
3
[root@server ~]# /opt/CollabNet_Subversion/bin/svn co --username my-username https://subversion.example.com/svn/my-repo/trunk/ /path/to/working-copy
Password for 'svn' GNOME keyring:
[...]

That’s it! Now your svn client password should be stored safely by the Gnome keyring.