Saving SSL password for SVN in Ubuntu

Question

I have tried to set up my SVN that way, that it saves my passwords, but for some reason it won't work. I am using a SSL certificate, for which I need to provide a password every time. I have tried setting it up in ~/.subversion/servers file:

[mygroup]
ssl-client-cert-file = /mnt/data/myuser/certificate.pk12
store-passwords = yes
store-plaintext-passwords = yes
store-ssl-client-cert-pp-plaintext = yes

The file is correct, it finds the correct path and ask for the password. Some time before when I tried this, it asked me if I want to store the SSL key and the password permanently, I gave yes all the time. The SSL key is remembered, but the password not. And now it does not even ask to remember it. It simply asks everytime. I tried a lot of settings, none worked. Any ideas? Thanks

Answer 1

There seems to be a bug/regression in subversion 1.8+ where it fails to store certificate passphrase. I'm answering this here in hope that somebody will find it useful and save some time.

One solution is to use kwallet as a password store. There is a very nice how-to: http://mail-archives.apache.org/mod_mbox/subversion-users/201406.mbox/%3C5391B93F.1030101@ntlworld.com%3E. Reposting the steps here, all credit to original author - Simon.

Given what you told me, I was able to find a workaround and manual create the password store:

1. .subversion/config: [auth] section set to "password-stores = kwallet"
2. Run "kwalletmanager", open kwallet via "system tray"
3. Open default wallet and create new top-level "Subversion" folder (alongside Form Data, Passwords)
4. Select "Passwords" within Subversion folder and create new one with key "@" + path_to_p12, e.g. "@/home/nc/nc.p12"
5. Type in password into kwallet for this key

Watch where svn is trying to retrieve the data from "strace -e trace=lstat svn ls http://...." e.g. reveals /home/nc/.subversion/auth/svn.ssl.client-passphrase/345983d745d98273c095e872a09"

Populate this "345983d745d98273c095e872a09" file with e.g.:

K 15 svn:realmstring V 45 /home/nc/nc.p12 END

This might help someone in the meantime. Note that my username is derived from the certificate common name, otherwise I think you need "Username@" as the password key.

---

Inspired by the above solution I managed to make it work with gnome-keyring. Most of the steps are the same:

contents of .subversion/servers:

store-auth-creds = yes 
ssl-client-cert-file = /mnt/data/myuser/certificate.pk12
ssl-authority-files = /some/path/to/CA_if_needed.pem
store-passwords = yes 
store-plaintext-passwords = no
store-ssl-client-cert-pp = yes 
store-ssl-client-cert-pp-plaintext = no

Find which file svn is trying to read. Run strace on some svn command, e.g. strace svn up and you should see something like "/home/user/.subversion/auth/svn.ssl.client-passphrase/b97ec2acbc64a5c8634a2307cd100b13". Create that file with these contents: K 15 svn:realmstring V 33 /mnt/data/myuser/certificate.pk12 END The path may be different in your case obivously. Also make sure to replace V 33 with length of your path string.

Now the tricky part - manually saving passphrase into gnome-keyring. Since seahorse was incapable of creating a network password entry for me, I used a tiny python script. Debian/Ubuntu users need "python-gnomekeyring" package for this to work.

#!/usr/bin/env python
import pygtk
pygtk.require('2.0')
import gtk
import gnomekeyring

def hack():
    gnomekeyring.item_create_sync(None, gnomekeyring.ITEM_NETWORK_PASSWORD, "svn cert pwd", {"domain" : "/mnt/data/myuser/certificate.pk12"}, "Secret_Passphrase_Goes_Here", True)

if __name__ == '__main__':
    hack()

This will create a network password in default keychain. "domain" has to match with certificate path in svn config that we just created.

You can use seahorse to check if everything was successful. Now subversion should be able to read from gnome-keyring, and you no longer need to type the password every time!

Answer 2

Please make changes as below and check.

In ~/.subversion/config file :- (Changed as)

### Section for authentication and authorization customizations.
[auth]
### Set password stores used by Subversion. They should be
### delimited by spaces or commas. The order of values determines
### the order in which password stores are used.
### Valid password stores:
### gnome-keyring (Unix-like systems)
### kwallet (Unix-like systems)
### gpg-agent (Unix-like systems)
### keychain (Mac OS X)
### windows-cryptoapi (Windows)
password-stores = gpg-agent,gnome-keyring,kwallet
### To disable all password stores, use an empty list:
password-stores = yes
###
### Set ssl-client-cert-file-prompt to 'yes' to cause the client
### to prompt for a path to a client cert file when the server
### requests a client cert but no client cert file is found in the
### expected place (see the 'ssl-client-cert-file' option in the
### 'servers' configuration file). Defaults to 'no'.
ssl-client-cert-file-prompt = yes
###
### The rest of the [auth] section in this file has been deprecated.
### Both 'store-passwords' and 'store-auth-creds' can now be
### specified in the 'servers' file in your config directory
### and are documented there. Anything specified in this section
### is overridden by settings specified in the 'servers' file.
store-passwords = yes
store-auth-creds = yes

### Section for configuring external helper applications.

In ~/.subversion/servers file :- (Changed as)

[global]
# http-proxy-exceptions = *.exception.com, www.internal-site.org
# http-proxy-host = defaultproxy.whatever.com
# http-proxy-port = 7000
# http-proxy-username = defaultusername
# http-proxy-password = defaultpassword
# http-compression = no
# No http-timeout, so just use the builtin default.
# No neon-debug-mask, so neon debugging is disabled.
# ssl-authority-files = /path/to/CAcert.pem;/path/to/CAcert2.pem
#
# Password / passphrase caching parameters:
store-passwords = yes
store-ssl-client-cert-pp = yes
# store-plaintext-passwords = no
# store-ssl-client-cert-pp-plaintext = no