[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: RFC: Encrypting ~/.subversion/auth on Windows

From: Branko Čibej <brane_at_xbc.nu>
Date: 2004-11-13 03:01:43 CET

Branko Čibej wrote:

> Ben Collins-Sussman wrote:
>
>>
>> On Nov 12, 2004, at 6:31 PM, Sigfred Håversen wrote:
>>
>>>
>>> Slightly offtopic, why not encrypt the passwords for svnserve?
>>
>>
>>
>> IIRC, because of the way the CRAM-MD5 algorithm works, the server
>> needs access to the actual password, not a hashed version of it.
>
>
> Oh! Ouch.

Oof. I just read the CRAM-MD5 RFC, and it doesn't require you to store
cleartext on the server. We could store hashed passwd representations on
the server without changing client code. But if someone lifted those
hashes off of the server, they'd be able to modify the client to
authenticate with the server anyway.

-- Brane

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Nov 13 03:03:32 2004

This is an archived mail posted to the Subversion Dev mailing list.