[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Feature Request: clients shouldn't store auth-creds

From: Nicolás Lichtmaier <nick_at_reloco.com.ar>
Date: 2005-01-10 00:09:03 CET

>>>> The svnserve+ssh combo already has its own "private" solution
>>>> (with ssh-agent).
>>>> The point of this idea is to avoid having the client send a
>>>> plaint text password in each request. I don't see any way of
>>>> dealing with this in Apache other than with a modified auth module.
>>> mod_auth_digest? https://?
>> No. Both https and mod_auth_digest are ways to send a plain text
>> password securely. And this plain text password must be sent *every
>> time*. I'm talking about some server component (e.g. an apache auth
>> module) which would hand over temporary session tokens/credentials.
>> An administrator would be able to configure the expiry time of these
>> tokens (2 hours? 1 day? a week?).
> Ah. Do you realise that passing a session token back and forth in the
> clear is just as insecure as passing a cleartext password?

Of course, but the session token would expire in a short time, and it
can be made it so it's valid only when used from a certain IP address.
So if it gets stolen the damage is less than if a real password were stolen.

To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Jan 10 00:10:56 2005

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.