[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: passwords in subversion

From: Ben Collins-Sussman <sussman_at_collab.net>
Date: 2004-12-12 15:31:00 CET

On Dec 12, 2004, at 1:04 AM, Daniel Patterson wrote:

>
> Server stores HASH(pw)
>
> Client generates random token, and calculates this:
>
> authstring = HASH(HASH(pw)+token)

IIRC, svnserve is doing CRAM-MD5 right now, which is *almost* the same
thing:

      authstring = HASH(pw + token).

>
> Client sends "authstring,token" to server. Server can recalculate
> authstring to verify that the client knew "pw" (or at least,
> HASH(pw)). Neither "pw", nor "HASH(pw)" are ever sent over the
> wire.

And in CRAM-MD5, the server stores cleartext "pw", so it knows that the
client knew "pw". Just like digest auth, the password never travels
over the network in the clear.

>
> If someone can get copies of the hash, then you're still screwed
> (the hash is basically the password), but hopefully, hashes are
> harder
> for people to remember by looking over your shoulder.
>

Agreed. But rather than implement a whole new (almost identical) authn
system, why not just have svnserve store the user-db with a trivial
scramble. It solves the same "over the shoulder" problem, with a lot
less work.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Dec 12 15:36:19 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.