On Wed, 2004-06-02 at 04:25, Ng, Wey Han wrote:
> I am wondering if the password be change to an encrypted form in the future?
> I have check the project home page and there is no mention to fix this in
> the plans.
As with most people who make this request, you're starting from the
(reasonable) misconception that the client transmits the password to the
server. That's not how it works; the server sends a challenge, and the
client sends a response proving that it knows the password. For this
"shared secret authentication" mechanism to work, the server has to know
the password itself, not a one-way hash of it.
There is a potential out here; the server and client only have to share
a secret, not necessarily the password itself. I will, at some point,
look into a way to make it so that the secret is a hash of the password
together with the authentication domain. I didn't do this initially
because (1) it's not how CRAM-MD5 is specified, and (2) it complicates
repository administration and requires us to provide an extra
command-line tool to perform the password encryption.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Jun 2 17:38:24 2004