Search code examples
svntortoisesvn

svn encrypt/cache user password manually

Goal: Avoid the svn authentication prompt when running svn commands from command prompt.

I knew there is an option to pass --username & --password to svn command. But I don't want to do this because svn operations are done from batch script and I don't want to store password in batch script.

If we create the file which needs to be present under %APPDATA%\Subversion\auth\svn.simple\ and update it contents. Does it escapes the authentication prompt. Is it possible to do that ?

I see there are tool to decrypt the password from files under svn.simple. But how do I encrypt the password and create a file with proper hash name, so that svn uses it ?

Solution

  • Solution found. Below is the subversion process of encryption in windows.

    1. Subversion uses Windows's CryptProtectData function to encrypt the password.
    2. Subversion does base64 encoding of the crypted password and it saves to %APPDATA%\Subversion\auth\svn.simple\

    Attempt with Powershell:

    Failed to automate with powershell, the reason is CryptProtectData takes "description" parameter which is included in the crypted password. But Powershell ProtectedData function doesn't takes the "description" parameter.

    As a result, If i use Powershell "ProtectedData" size of the encrypted data is small compared with encryption by Subversion.

    Solution:

    Hence I used c++ code to perform the exact same operation with the exact same "description" string from subversion source code to encrypt the password and did base64 encoding of crypted data and it worked. 

    # Below piece is taken from svn source code - file name: subversion/libsvn_subr/win32_crypto.c
CryptProtectData(
     &blobin, // Input Data BLOB
     L"auth_svn.simple.wincrypt",  // Description String
     NULL, NULL, NULL,                       
     CRYPTPROTECT_UI_FORBIDDEN,    // Constant to avoid prompting user
     &blobout                      // Output Data BLOB
 )

    Note: I will try to share the code in near future.

    Additional Tips

    CryptProtectData function creates a session key to perform the encryption. The session key is derived again when the data is to be decrypted ( I didn't move further on this about what exact key and how it stores, etc..). Hence we have to perform the encryption with the same user account where the svn operations are planned to perform.

    As mentioned earlier, SVN cache the details under %APPDATA%\Subversion\auth\svn.simple\ and the file name is "MD5 hash value of svn:realmstring".

    # you can find the svn realm string, if you have already cached in the your account
# Up to my observations it is <svn url> <standard text>
<https://testsvn.svn.com:443>  SVN AD-LDAP login (username, lowercase with domain)