[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: RFC: Encrypting ~/.subversion/auth on Windows

From: Branko Čibej <brane_at_xbc.nu>
Date: 2004-11-13 03:01:43 CET

Branko Čibej wrote:

> Ben Collins-Sussman wrote:
>> On Nov 12, 2004, at 6:31 PM, Sigfred Håversen wrote:
>>> Slightly offtopic, why not encrypt the passwords for svnserve?
>> IIRC, because of the way the CRAM-MD5 algorithm works, the server
>> needs access to the actual password, not a hashed version of it.
> Oh! Ouch.

Oof. I just read the CRAM-MD5 RFC, and it doesn't require you to store
cleartext on the server. We could store hashed passwd representations on
the server without changing client code. But if someone lifted those
hashes off of the server, they'd be able to modify the client to
authenticate with the server anyway.

-- Brane

To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Nov 13 03:03:32 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.