[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: passwords in subversion

From: pat <pat_at_xvalheru.org>
Date: 2004-12-12 22:28:11 CET

Thanks to all !!!

        Pat

Ben Collins-Sussman wrote:
>
> On Dec 12, 2004, at 1:04 AM, Daniel Patterson wrote:
>
>>
>> Server stores HASH(pw)
>>
>> Client generates random token, and calculates this:
>>
>> authstring = HASH(HASH(pw)+token)
>
>
> IIRC, svnserve is doing CRAM-MD5 right now, which is *almost* the same
> thing:
>
> authstring = HASH(pw + token).
>
>>
>> Client sends "authstring,token" to server. Server can recalculate
>> authstring to verify that the client knew "pw" (or at least,
>> HASH(pw)). Neither "pw", nor "HASH(pw)" are ever sent over the
>> wire.
>
>
> And in CRAM-MD5, the server stores cleartext "pw", so it knows that the
> client knew "pw". Just like digest auth, the password never travels
> over the network in the clear.
>
>>
>> If someone can get copies of the hash, then you're still screwed
>> (the hash is basically the password), but hopefully, hashes are harder
>> for people to remember by looking over your shoulder.
>>
>
> Agreed. But rather than implement a whole new (almost identical) authn
> system, why not just have svnserve store the user-db with a trivial
> scramble. It solves the same "over the shoulder" problem, with a lot
> less work.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Sun Dec 12 22:30:20 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.