On Fri, Jan 17, 2025 at 7:40 AM Johan Corveleyn <jcor...@gmail.com> wrote: > Oh, and according to this cirata (previously wandisco) blog article it > should be possible to setup a Gnome Keyring without a GUI: > > https://community.cirata.com/s/article/How-to-set-up-encrypted-svn-password-storage-using-gnome-keyring-in-an-ssh-session > > I have not tried it myself, but I might (have to) dig into it in the > near future. > > Two more articles related to Gnome Keyring which I have bookmarked > because I want to research unlocking the keyring automatically after > login (but haven't gotten around to it, YMMV): > https://wiki.archlinux.org/title/GNOME/Keyring > https://forums.debian.net/viewtopic.php?t=152349 (how to auto-unlock > gnome-keyring on login)
Thanks for those links! This might be relevant as well: https://superuser.com/questions/141036/use-of-gnome-keyring-daemon-without-x > I think, if we get this all figured out (setting up GUI-less Gnome > Keyring with auto-unlock upon login), it would be great if we'd put > this into a blog or step-by-step guide somewhere on > subversion.apache.org. That's a good idea. We have the blog section of the site [1] and this would be a good fit there. We also have a FAQ entry [2] "How does Subversion cache credentials (plaintext and encrypted)?" This could be updated to include a brief explanation, with a link to the blog article for more details. There is a TODO there regarding GPG-Agent (not to be confused with GNOME Keyring) -- this credential store can also be configured for pin entry through CLI (including when remotely accessed through SSH) by configuring it to use pinentry-tty. This StackOverflow may be relevant: https://superuser.com/questions/520980/how-to-force-gpg-to-use-console-mode-pinentry-to-prompt-for-passwords I don't know whether GPG-Agent can be configured to unlock automatically at startup. (That probably would bring us back to the issue of how to securely store the pin that would unlock it automatically; it would probably end up being in plaintext, in which case, you might as well just store the SVN password in plaintext. Somewhere along the line, something either needs to be in plaintext or entered manually at each startup.) One more thing: In Subversion's config files, note that the *order* of the 'password-stores' setting is significant. [1] https://subversion.apache.org/blog/ [2] https://subversion.apache.org/faq.html#plaintext-passwords Hope this helps, Nathan