HowTo: Subversion auth credential caching

Print Friendly, PDF & Email

Just discovered a bug in this setup that will cause your shell to hang say if you’re scp’ing something from another box. Please, amend your ~/bashrc as noted below.

Due to some recent and old discussion on how subversion keeps the password for remote servers (such as the webdav enabled one at svn.ilrt.bris.ac.uk) I’d like to reiterate that it is important to use the option –no-auth-cache option on the command line or set the ‘store-auth-creds = no’ option in the file ~./subversion/config. Nearly all Linux based servers do not have a version of subversion which is able to use an external keychain tool that can manage and store passwords in an encrypted format on disk. However, subversion on Windows and Mac OS X are able to use native encryption technology.

That aside I’ve been having a play today with Collab’s own version of the subversion binary which comes with support for using the external Gnome-keyring application, including a command line client tool for managing the keyrings. I have installed it on devbox as a trial to see how we get on with it. If it works out then we may well stick it on other boxes. I imagine the functionality will eventually drift into mainline releases, but until then….

First of all login to devbox and edit your ~/.bashrc file and add these lines:

alias svn=/opt/CollabNet_Subversion/bin/svn
alias keyring_tool=/opt/CollabNet_Subversion/bin/keyring_tool
`gnome-keyring-daemon >/dev/null 2>&1`
export GNOME_KEYRING_SOCKET GNOME_KEYRING_PID

Then source the profile again:

. ~/.bashrc

Then to setup a new keyring do the following.

Create a place to store the keys:
$ mkdir -p .gnome2/keyrings

Create a new personal keyring store:
$ keyring_tool -c mykeyring
Enter password for 'mykeyring' keyring:
Created 'mykeyring' keyring.

Set this keyring to be the default:
$ keyring_tool -s mykeyring
Set 'mykeyring' keyring as default.

If you have passwords already cached for this server you should remove them first. You can either remove only the relevant ones from the directory listed below or all of them like this:
rm ~/.subversion/auth/svn.simple/*

Initalise the keystore with your subversion password:
$ svn checkout https://svn.ilrt.bris.ac.uk/repos/somerepo
Password for 'mykeyring' GNOME keyring:
Authentication realm: <https://svn.ilrt.bris.ac.uk:443> Internal Subversion repositories
Password for 'cmxmb':

Now, when you run svn in situations where you need to login you shouldn’t get asked a password.
When you logout and back in you’ll need to enter the password for your keyring file to unlock the keyring file so svn can grab your password for the svn server. You could reuse the same daemon in another shell window by exporting the environment variables it creates but it’s probably better to use on a one daemon per session basis and close the daemon when you logout.

Therefore, it’s a very good idea to kill the daemon when you log out. So add this to your ~/.bash_logout file:

kill $GNOME_KEYRING_PID

As a last note. Any local working copy checkout made with the newer Collab svn client will not be compatible with the older svn client. So best to make fresh checkouts with either the existing local client at /usr/bin/svn or the one in /opt/CollabNet_Subversion/bin/svn depending on which one you want to work with.

As this is a trial please let me know if you see any problems using it. Thanks.