Re: passwords in subversion

From: Ben Collins-Sussman <sussman_at_collab.net>
Date: 2004-12-12 15:31:00 CET

On Dec 12, 2004, at 1:04 AM, Daniel Patterson wrote:

>
> Server stores HASH(pw)
>
> Client generates random token, and calculates this:
>
> authstring = HASH(HASH(pw)+token)

IIRC, svnserve is doing CRAM-MD5 right now, which is *almost* the same
thing:

authstring = HASH(pw + token).

>
> Client sends "authstring,token" to server. Server can recalculate
> authstring to verify that the client knew "pw" (or at least,
> HASH(pw)). Neither "pw", nor "HASH(pw)" are ever sent over the
> wire.

And in CRAM-MD5, the server stores cleartext "pw", so it knows that the
client knew "pw". Just like digest auth, the password never travels
over the network in the clear.

>
> If someone can get copies of the hash, then you're still screwed
> (the hash is basically the password), but hopefully, hashes are
> harder
> for people to remember by looking over your shoulder.
>

Agreed. But rather than implement a whole new (almost identical) authn
system, why not just have svnserve store the user-db with a trivial
scramble. It solves the same "over the shoulder" problem, with a lot
less work.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Dec 12 15:36:19 2004

This message: [ Message body ]
Next message: Ben Collins-Sussman: "Re: Confusing peg revision syntax and default values"
Previous message: Michael Sweet: "Re: passwords in subversion"
In reply to: Daniel Patterson: "Re: passwords in subversion"
Next in thread: Greg Hudson: "Re: passwords in subversion"
Reply: Greg Hudson: "Re: passwords in subversion"
Reply: kfogel_at_collab.net: "Re: passwords in subversion"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]