On Fri, Jan 17, 2025 at 7:40 AM Johan Corveleyn <jcor...@gmail.com> wrote:
> Oh, and according to this cirata (previously wandisco) blog article it
> should be possible to setup a Gnome Keyring without a GUI:
>
> https://community.cirata.com/s/article/How-to-set-up-encrypted-svn-password-storage-using-gnome-keyring-in-an-ssh-session
>
> I have not tried it myself, but I might (have to) dig into it in the
> near future.
>
> Two more articles related to Gnome Keyring which I have bookmarked
> because I want to research unlocking the keyring automatically after
> login (but haven't gotten around to it, YMMV):
> https://wiki.archlinux.org/title/GNOME/Keyring
> https://forums.debian.net/viewtopic.php?t=152349 (how to auto-unlock
> gnome-keyring on login)

Thanks for those links!

This might be relevant as well:

https://superuser.com/questions/141036/use-of-gnome-keyring-daemon-without-x

> I think, if we get this all figured out (setting up GUI-less Gnome
> Keyring with auto-unlock upon login), it would be great if we'd put
> this into a blog or step-by-step guide somewhere on
> subversion.apache.org.

That's a good idea. We have the blog section of the site [1] and this
would be a good fit there.

We also have a FAQ entry [2] "How does Subversion cache credentials
(plaintext and encrypted)?" This could be updated to include a brief
explanation, with a link to the blog article for more details.

There is a TODO there regarding GPG-Agent (not to be confused with
GNOME Keyring) -- this credential store can also be configured for pin
entry through CLI (including when remotely accessed through SSH) by
configuring it to use pinentry-tty. This StackOverflow may be
relevant:

https://superuser.com/questions/520980/how-to-force-gpg-to-use-console-mode-pinentry-to-prompt-for-passwords

I don't know whether GPG-Agent can be configured to unlock
automatically at startup. (That probably would bring us back to the
issue of how to securely store the pin that would unlock it
automatically; it would probably end up being in plaintext, in which
case, you might as well just store the SVN password in plaintext.
Somewhere along the line, something either needs to be in plaintext or
entered manually at each startup.)

One more thing: In Subversion's config files, note that the *order* of
the 'password-stores' setting is significant.

[1] https://subversion.apache.org/blog/

[2] https://subversion.apache.org/faq.html#plaintext-passwords

Hope this helps,
Nathan

Reply via email to