[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: storing user passwords in non-cleartext form in password-db file

From: <kfogel_at_collab.net>
Date: 2004-10-25 15:12:39 CEST

W J <wjlost@yahoo.com> writes:
> Is there a way to store the passwords configured in
> the password file (pointed to by password-db) in
> non-cleartext form?
> I realize that obscurity is not security, but in my
> case, our development is based on trust, so I am not
> worried about security at all. We need some way of
> authenticating users (to know who made each change to
> the sources), and I want to avoid seeing the other
> users' password in plaintext.

Do you mean scramble passwords so someone seeing a password
accidentally won't be able to read it?

CVS does something like this in the ~/.cvspass file. But the encoding
is static and easily cracked, and this is by necessity, since CVS
itself has to be able to unscramble it, without reference to any
meta-passwords. Thus it's only a protection against accidentally
exposing your password to basically trustworthy people. It offers no
protection against people actively cracking the password. The file's
permissions are the only protection against that.

Note that CVS sends the scrambled version over the wire. Subversion
already avoids doing that over svn://, and of course the http://
authentication protocol is beyond Subversion's control. Therefore,
one of the main purposes of CVS's scrambling does not apply to
Subversion. This is one of the reasons we have not implemented it.

By the way, when I say "no protection", I mean: here's a Perl script
that descrambles CVS passwords :-). If Subversion were to offer a
similar feature, a script like this could be written for Subversion.

--------------------8-<-------cut-here---------8-<-----------------------
#!/usr/bin/perl -w

use strict;

sub scramble_password ()
{
  my $plaintext = shift;
  my @shifts =
      (
       0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
       16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
       114,120, 53, 79, 96,109, 72,108, 70, 64, 76, 67,116, 74, 68, 87,
       111, 52, 75,119, 49, 34, 82, 81, 95, 65,112, 86,118,110,122,105,
       41, 57, 83, 43, 46,102, 40, 89, 38,103, 45, 50, 42,123, 91, 35,
       125, 55, 54, 66,124,126, 59, 47, 92, 71,115, 78, 88,107,106, 56,
       36,121,117,104,101,100, 69, 73, 99, 63, 94, 93, 39, 37, 61, 48,
       58,113, 32, 90, 44, 98, 60, 51, 33, 97, 62, 77, 84, 80, 85,223,
       225,216,187,166,229,189,222,188,141,249,148,200,184,136,248,190,
       199,170,181,204,138,232,218,183,255,234,220,247,213,203,226,193,
       174,172,228,252,217,201,131,230,197,211,145,238,161,179,160,212,
       207,221,254,173,202,146,224,151,140,196,205,130,135,133,143,246,
       192,159,244,239,185,168,215,144,139,165,180,157,147,186,214,176,
       227,231,219,169,175,156,206,198,129,164,150,210,154,177,134,127,
       182,128,158,208,162,132,167,209,149,241,153,251,237,236,171,195,
       243,233,253,240,194,250,191,155,142,137,245,235,163,242,178,152
       );

  my @plainnums = unpack ('C*', $plaintext);
  my @scrambled_nums;
  my $scrambled_text = "";
  foreach my $num (@plainnums) {
    push @scrambled_nums, ($shifts[$num]);
  }
  $scrambled_text = pack ('C*', @scrambled_nums);

  return "A${scrambled_text}";
}

my $password = shift || die ("Need an argument -- the password to scramble.");
my $scrambled_password = &scramble_password ($password);
print "${scrambled_password}\n";

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Mon Oct 25 17:14:53 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.