[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Moving away from plain-text passwords in the server-side passwd file

From: Greg Hudson <ghudson_at_MIT.EDU>
Date: Wed, 21 May 2008 00:14:07 -0400

On Tue, 2008-05-20 at 20:42 -0700, Jeff Robins wrote:
> Yes, but doesn't that require an external authentication manager? I
> would like to provide a method for internal authentication using
> non-plain-text stored passwords.

First and foremost, Subversion doesn't want to implement more security
code than it has to. (Or at least, when I designed svnserve that was a
goal.) svnserve's built-in password support was a stopgap and was
intended to be as simple as possible. To the extent that it presents
deployment issues (and there are many besides the most obvious), the
best solution is to rely on third-party code, not to flesh out the
stopgap.

I'm not sure what you mean by an "external authentication manager."
Cyrus SASL is a library; it does not (to my knowledge) require an
external network entity to do authentication, if that's what you mean.

There are a few other issues with your proposal--not necessarily fatal
flaws:

1. Your proposal turns the MD5 of the password into the password itself.
That prevents the typed password from being recovered from the server
and used with dissimilar systems, but doesn't prevent the MD5 of the
password from being used with other systems using the same technique.
So it fails the categorical imperative--if Subversion alone does this,
it has some value, but if everyone does it, it doesn't solve any
problems. Hashing the password together with something else (like the
auth realm, or the string "svn") fixes this issue but further increases
the amount of complexity we don't want in Subversion's code.

2. You're inventing a new authentication protocol. ra_svn uses the SASL
protocol framework (whether or not it uses the Cyrus SASL
implementation); your proposal would be departing from that standard.

3. Your proposal requires supply a tool to manage svnserve passwd files
(like httpd's "htpasswd" command). Part of the reason for being so
simplistic is to avoid having to provide another user-facing tool.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-05-21 06:14:26 CEST

This is an archived mail posted to the Subversion Dev mailing list.