Nicolás Lichtmaier wrote:
>
>>> The svnserve+ssh combo already has its own "private" solution
>>> (with ssh-agent).
>>>
>>> The point of this idea is to avoid having the client send a
>>> plaint text password in each request. I don't see any way of dealing
>>> with this in Apache other than with a modified auth module.
>>
>>
>>
>> mod_auth_digest? https://?
>
>
>
> No. Both https and mod_auth_digest are ways to send a plain text
> password securely. And this plain text password must be sent *every
> time*. I'm talking about some server component (e.g. an apache auth
> module) which would hand over temporary session tokens/credentials. An
> administrator would be able to configure the expiry time of these
> tokens (2 hours? 1 day? a week?).
Ah. Do you realise that passing a session token back and forth in the
clear is just as insecure as passing a cleartext password?
-- Brane
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Jan 10 00:03:51 2005