[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnserve password store in clear text

From: Greg Hudson <ghudson_at_MIT.EDU>
Date: 2004-06-02 20:23:24 CEST

On Wed, 2004-06-02 at 12:54, kfogel@collab.net wrote:
> Greg Hudson <ghudson@MIT.EDU> writes:
> > I will, at some point,
> > look into a way to make it so that the secret is a hash of the password
> > together with the authentication domain.

> How is the "secret" not a "password", then? I'm not seeing how this
> fundamentally changes the dynamics of the situation. The server and
> client still have to know the same secret, and the secret is not
> transmitted in the clear over the network.

It means if the user is using the same password for Subversion and for
some other purpose, the repository administrator can't (except through
dictionary attack) discover the password being used for the other
purpose. (Even for another Subversion repository, since the password is
hashed together with the authentication domain, which from the client's
perspective includes the server name. Although, that means your
password stops working if you start using a different name for the same
server...)

Think of this functionality as being like Schneier's Password Safe
(http://www.schneier.com/passsafe.html).

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Jun 2 20:24:10 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.