Re: RFC: Encrypting ~/.subversion/auth on Windows

From: Branko Čibej <brane_at_xbc.nu>
Date: 2004-11-13 03:01:43 CET

Branko Čibej wrote:

> Ben Collins-Sussman wrote:
>
>>
>> On Nov 12, 2004, at 6:31 PM, Sigfred Håversen wrote:
>>
>>>
>>> Slightly offtopic, why not encrypt the passwords for svnserve?
>>
>>
>>
>> IIRC, because of the way the CRAM-MD5 algorithm works, the server
>> needs access to the actual password, not a hashed version of it.
>
>
> Oh! Ouch.

Oof. I just read the CRAM-MD5 RFC, and it doesn't require you to store
cleartext on the server. We could store hashed passwd representations on
the server without changing client code. But if someone lifted those
hashes off of the server, they'd be able to modify the client to
authenticate with the server anyway.

-- Brane

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Nov 13 03:03:32 2004

This message: [ Message body ]
Next message: Josh Pieper: "Re: svn blame on trunk"
Previous message: Shatzer, Larry: "[BOOKPATCH] Various fixes"
In reply to: Branko Čibej: "Re: RFC: Encrypting ~/.subversion/auth on Windows"
Next in thread: kfogel_at_collab.net: "Re: RFC: Encrypting ~/.subversion/auth on Windows"
Reply: kfogel_at_collab.net: "Re: RFC: Encrypting ~/.subversion/auth on Windows"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]