Reputation: 1037
svn encrypt/cache user password manually
Goal: Avoid the svn authentication prompt when running svn commands from command prompt.
I knew there is an option to pass --username & --password to svn command. But I don't want to do this because svn operations are done from batch script and I don't want to store password in batch script.
If we create the file which needs to be present under %APPDATA%\Subversion\auth\svn.simple\ and update it contents. Does it escapes the authentication prompt. Is it possible to do that ?
I see there are tool to decrypt the password from files under svn.simple. But how do I encrypt the password and create a file with proper hash name, so that svn uses it ?
Upvotes: 2
Views: 1251
Answers (1)
Reputation: 1037
Solution found. Below is the subversion process of encryption in windows.
- Subversion uses Windows's CryptProtectData function to encrypt the password.
- Subversion does base64 encoding of the crypted password and it saves to %APPDATA%\Subversion\auth\svn.simple\
Attempt with Powershell:
Failed to automate with powershell, the reason is CryptProtectData takes "description" parameter which is included in the crypted password. But Powershell ProtectedData function doesn't takes the "description" parameter.
As a result, If i use Powershell "ProtectedData" size of the encrypted data is small compared with encryption by Subversion.
Solution:
Hence I used c++ code to perform the exact same operation with the exact same "description" string from subversion source code to encrypt the password and did base64 encoding of crypted data and it worked.
# Below piece is taken from svn source code - file name: subversion/libsvn_subr/win32_crypto.c
CryptProtectData(
&blobin, // Input Data BLOB
L"auth_svn.simple.wincrypt", // Description String
NULL, NULL, NULL,
CRYPTPROTECT_UI_FORBIDDEN, // Constant to avoid prompting user
&blobout // Output Data BLOB
)
Note: I will try to share the code in near future.
Additional Tips
CryptProtectData function creates a session key to perform the encryption. The session key is derived again when the data is to be decrypted ( I didn't move further on this about what exact key and how it stores, etc..). Hence we have to perform the encryption with the same user account where the svn operations are planned to perform.
As mentioned earlier, SVN cache the details under %APPDATA%\Subversion\auth\svn.simple\ and the file name is "MD5 hash value of svn:realmstring".
# you can find the svn realm string, if you have already cached in the your account
# Up to my observations it is <svn url> <standard text>
<https://testsvn.svn.com:443> SVN AD-LDAP login (username, lowercase with domain)
Upvotes: 1
Related Questions
- Extract TortoiseSVN saved password
- How to change password using TortoiseSVN?
- SVN encrypted password store
- TortoiseSVN put a password on SVN repository
- TortoiseSVN not save the password
- Tortoise SVN unable to authenticate password
- Tortoise SVN does not ask for user/pass and fails
- svn -- how to save password, but not in plaintext?
- Setting up a local SVN repository with encrypted passwords with TortoiseSVN
- Explicitly create cached user/password for SVN