[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnserve password store in clear text

From: Branko Čibej <brane_at_xbc.nu>
Date: 2004-06-04 00:15:42 CEST

Mark Benedetto King wrote:

>On Thu, Jun 03, 2004 at 12:02:32PM +0800, Ng, Wey Han wrote:
>
>
>>I have a proposal. Here goes:
>>
>>In the libsvn_ra_svn library the compute_digest (in cram.c) function the
>>
>>
>
>Your suggestion boils down to "have svn treat the secret as if it were
>really MD5(secret)".
>
>If the problem you're trying to solve is one of people not liking their
>favorite plaintext passwords to exist in files on the svn server, why
>not just have them generate hashes of their plaintext passwords and
>send you those? You can put those in the password file (or write a
>CGI program to do it).
>
>They enter that hash rather than their plaintext password the one time
>that svn asks them for it, and voila, everything works.
>
>As an added benefit, they can use whatever hash function they want!
>
>
That doesn't mean a thing, you know. Anyone who can read the "hashed"
password can still spoof the user id -- since it's not actually hashed,
it's just a weird-looking plain text password. 

-- 
Brane Čibej   <brane_at_xbc.nu>   http://www.xbc.nu/brane/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Jun 4 00:16:37 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.