[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: svnserve password store in clear text

From: Ng, Wey Han <weyhan.ng_at_atosorigin.com>
Date: 2004-06-04 11:21:07 CEST

> -----Original Message-----
> From: Mark Phippard [mailto:MarkP@softlanding.com]
> Sent: Friday, June 04, 2004 8:32 AM
>
> True, but the issue as stated, by at least 2 people, was
> simply that the administrator did not want to be able to
> see the user's passwords in plain text nor have to make
> the user's give him their passwords in plain text.

Yes, this is just my concern. Nothing more.

> The hash idea is a simple solution to that problem and does
> not require any coding changes :)

Err... but my proposal does require a little code change. The way I propose
is to have a two stage hashing.

1. The server store standard hashed password in the password file (Yes, I
know it is crackable but I am not too concern about security. If I am, I
will be using the other method to access the server).

2. When requesting authentication from the client, the server will send a
challenge (secret) to the client.

3. The client will perform the standard hash on the password then hash the
password again with the secret from the server. Then the twice hashed
password is sent it back to the server to complete the authentication.

4. The server will grab the hashed password form the passwd file and apply
the secret to the standard hashed password for comparison with the hashed
password sent by the client.

> If someone wants a higher degree of security then they can
> use Apache and SSL or I suppose SSH+SVN. If we
> recreate all of that in svnserve it will wind up being harder
> to setup than Apache and the code will be a lot more
> difficult to maintain.

Agree. I have no intention to complicate things. One thing I have to comment
on the subversion project is that it's just great. For a long time I have
not seen an open source project with code that is easy to follow. Though I
have not really dig deep into the code of subversion, but what I have seen
so far, I like.

> I realize you were not necessarily advocating that any
> changes be made.

Yes, I am happy with just changing the code on a local basis and not put
those changes back to the project to complicate things so to speak. Though
the project is welcome to take in the changes if I ever come around to
making them. After all, this is an open source project and good/reasonable
contribution from the community is always welcome, right?

Regards,

Han. 

----
Ng, Wey-Han
Atos Origin
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Jun 4 11:26:46 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.