Re: passwords in subversion

From: Daniel Patterson <danpat_at_danpat.net>
Date: 2004-12-12 08:04:19 CET

Ben Collins-Sussman wrote:
>
> Rainer: the problem is cryptograhpically tricky. If the server stores
> hashed passwords (like those in htpasswd, or in /etc/passwd), then
> cleartext passwords must pass over the network. If the server stores
> cleartext passwords, then hashes may pass over the network.

Actually, you can have the best of both worlds.

Server stores HASH(pw)

Client generates random token, and calculates this:

authstring = HASH(HASH(pw)+token)

   Client sends "authstring,token" to server. Server can recalculate
   authstring to verify that the client knew "pw" (or at least,
   HASH(pw)). Neither "pw", nor "HASH(pw)" are ever sent over the
   wire.

   If someone can get copies of the hash, then you're still screwed
   (the hash is basically the password), but hopefully, hashes are harder
   for people to remember by looking over your shoulder.

(Is this how HTTP Digest authentication works? I should go read the
RFC...)

daniel

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Dec 12 08:07:14 2004

This message: [ Message body ]
Next message: Paul Querna: "Re: passwords in subversion"
Previous message: Martin A. Brooks: "Re: passwords in subversion"
In reply to: Ben Collins-Sussman: "Re: passwords in subversion"
Next in thread: Paul Querna: "Re: passwords in subversion"
Reply: Paul Querna: "Re: passwords in subversion"
Reply: Michael Sweet: "Re: passwords in subversion"
Reply: Ben Collins-Sussman: "Re: passwords in subversion"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]