[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: passwords in subversion

From: Daniel Patterson <danpat_at_danpat.net>
Date: 2004-12-12 08:04:19 CET

Ben Collins-Sussman wrote:
>
> Rainer: the problem is cryptograhpically tricky. If the server stores
> hashed passwords (like those in htpasswd, or in /etc/passwd), then
> cleartext passwords must pass over the network. If the server stores
> cleartext passwords, then hashes may pass over the network.

   Actually, you can have the best of both worlds.

   Server stores HASH(pw)

   Client generates random token, and calculates this:

     authstring = HASH(HASH(pw)+token)

   Client sends "authstring,token" to server. Server can recalculate
   authstring to verify that the client knew "pw" (or at least,
   HASH(pw)). Neither "pw", nor "HASH(pw)" are ever sent over the
   wire.

   If someone can get copies of the hash, then you're still screwed
   (the hash is basically the password), but hopefully, hashes are harder
   for people to remember by looking over your shoulder.

   (Is this how HTTP Digest authentication works? I should go read the
    RFC...)

daniel

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Mon Dec 13 16:30:06 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.