Re: naive authentication scheme for ra_svn

On Sat, Sep 13, 2003 at 05:49:00PM -0400, Garrett Rooney wrote:
> Well, I was playing around this weekend, and I hacked something together
> to do just that. It implements a new SASL mechanism, 'NAIVE', which has
> the user send a username and an md5 encoded password over the wire to
> the server, which authenticates them against a simple tab delimited file.

In the same sense, HTTP's digest authentication is severely flawed, as
the password each time computes to the same digest. The real password is
safe, but this still does not provide real security.

Have you looked at APOP authentication? It uses MD5 and passwords in a
more nicer way. Authentication is 2-step. Upon connection, the server
first responds with a random text string. Then the client is supposed to
append the password to the text string, compute its MD5 and send it back
to the server. At no two times are the computed hash the same, as the
string returned by the server is random. The drawback of this method is
that it requires the password to be stored in cleartext on the server
side.

CRAM-MD5 is also worth looking at.

-- 
Mukund
The very powerful and the very stupid have one thing in common.  Instead of
altering their views to fit the facts, they alter the facts to fit their
views ... which can be very uncomfortable if you happen to be one of the
facts that needs altering.
                -- Doctor Who, "Face of Evil"
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org