You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by "Ng, Wey Han" <we...@atosorigin.com> on 2004/06/02 08:25:26 UTC
svnserve password store in clear text
Hi,
I am wondering if the password be change to an encrypted form in the future?
I have check the project home page and there is no mention to fix this in
the plans.
I was also trying to fix this in the code level but I obviously don't
understand cryptography and the library used well enough to figure out how
to do it without breaking the authentication system. Would it be possible to
use the libsvn_ra_svn library to encrypt the password to be stored into the
passwd file and just read and compare during authentication?
Regards,
Han.
----
Ng, Wey-Han
Atos Origin
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnserve password store in clear text
Posted by Greg Hudson <gh...@MIT.EDU>.
On Wed, 2004-06-02 at 15:21, Jon Foster wrote:
> If the server was storing a hash of the password and the server name
> (aka authentication domain), would that mean if the client refers to
> the server differently (e.g. using localhost because they're
> tunnelling over SSH) then the user needs to reset their password?
It would. That would seem to be a big problem. I can think of
variations, but they all have the same or similar problems (e.g. we
could hash the password with the repository UUID, but then the password
db couldn't be shared between repositories).
The authentication domain does have a server-specified component.
Administrators are not strongly urged to set it. We could hash the
password with just the server-specified component, change the comments
so that the administrator is strongly urged to set it, and note that
passwords will be invalidated if it changes.
> Also, it stops administrators from seeing the password accidentally.
My assumption has been that it's easy to edit the password db in an
automated fashion, but I guess that's not very admin-friendly since we
don't provide tools to do so.
> E.g. I run a small SVN server at my company, but I'm not a proper
> system administrator. Users want to use the same password for the
> SVN server as for the network.
I'll observe that with credentials caching, it's not terribly hard to
use a different password for each, since you don't have to remember it
each time you use svn.
(Also, pet peeve: "for the network?" Since when does "the network" have
a password?)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnserve password store in clear text
Posted by Jon Foster <jo...@jon-foster.co.uk>.
Greg Hudson wrote:
> On Wed, 2004-06-02 at 12:54, kfogel@collab.net wrote:
>
>>Greg Hudson <gh...@MIT.EDU> writes:
>>
>>>I will, at some point,
>>>look into a way to make it so that the secret is a hash of the password
>>>together with the authentication domain.
If the server was storing a hash of the password and the server name
(aka authentication domain), would that mean if the client refers to
the server differently (e.g. using localhost because they're
tunnelling over SSH) then the user needs to reset their password?
Or (more likely) am I misunderstanding "authentication domain"?
>
>>How is the "secret" not a "password", then? I'm not seeing how this
>>fundamentally changes the dynamics of the situation. The server and
>>client still have to know the same secret, and the secret is not
>>transmitted in the clear over the network.
>
> It means if the user is using the same password for Subversion and for
> some other purpose, the repository administrator can't (except through
> dictionary attack) discover the password being used for the other
> purpose.
Also, it stops administrators from seeing the password accidentally.
E.g. I run a small SVN server at my company, but I'm not a proper
system administrator. Users want to use the same password for the
SVN server as for the network. However, users don't want me to know
their password, and I actively don't want to know their passwords.
With the current system I have to see all their passwords - if the
system used a password hash then users could just send me that hash.
Although theoretically I might be able to use a brute-force or
dictionary attack against their password, I'm not going to.
(Even reversible encryption/obfuscation on the password would meet
this goal).
Kind regards,
Jon
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnserve password store in clear text
Posted by kf...@collab.net.
Greg Hudson <gh...@MIT.EDU> writes:
> Think of this functionality as being like Schneier's Password Safe
> (http://www.schneier.com/passsafe.html).
Okay, I see the problem you're solving now.
I can't believe he spelled it with three "s"s. I mean, yes, it's the
right thing and all, but it just *looks* so wrong. And no,
passafe.html is not on the server. :-)
-Karl
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnserve password store in clear text
Posted by Greg Hudson <gh...@MIT.EDU>.
On Wed, 2004-06-02 at 12:54, kfogel@collab.net wrote:
> Greg Hudson <gh...@MIT.EDU> writes:
> > I will, at some point,
> > look into a way to make it so that the secret is a hash of the password
> > together with the authentication domain.
> How is the "secret" not a "password", then? I'm not seeing how this
> fundamentally changes the dynamics of the situation. The server and
> client still have to know the same secret, and the secret is not
> transmitted in the clear over the network.
It means if the user is using the same password for Subversion and for
some other purpose, the repository administrator can't (except through
dictionary attack) discover the password being used for the other
purpose. (Even for another Subversion repository, since the password is
hashed together with the authentication domain, which from the client's
perspective includes the server name. Although, that means your
password stops working if you start using a different name for the same
server...)
Think of this functionality as being like Schneier's Password Safe
(http://www.schneier.com/passsafe.html).
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnserve password store in clear text
Posted by kf...@collab.net.
Greg Hudson <gh...@MIT.EDU> writes:
> There is a potential out here; the server and client only have to share
> a secret, not necessarily the password itself. I will, at some point,
> look into a way to make it so that the secret is a hash of the password
> together with the authentication domain. I didn't do this initially
> because (1) it's not how CRAM-MD5 is specified, and (2) it complicates
> repository administration and requires us to provide an extra
> command-line tool to perform the password encryption.
How is the "secret" not a "password", then? I'm not seeing how this
fundamentally changes the dynamics of the situation. The server and
client still have to know the same secret, and the secret is not
transmitted in the clear over the network.
By the way, Wey Han, in my original response I didn't realize you were
talking only about svnserve (I saw the message body but not the
subject), so what I said was more applicable to http:// access. Sorry
if that was confusing.
-Karl
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnserve password store in clear text
Posted by Eric Hanchrow <of...@blarg.net>.
>>>>> "Greg" == Greg Hudson <gh...@MIT.EDU> writes:
Greg> On Wed, 2004-06-02 at 04:25, Ng, Wey Han wrote:
>> I am wondering if the password be change to an encrypted form
>> in the future? I have check the project home page and there is
>> no mention to fix this in the plans.
Greg> As with most people who make this request, you're starting
Greg> from the (reasonable) misconception that the client
Greg> transmits the password to the server. That's not how it
Greg> works
Coincidentally I was wondering about this same thing yesterday. I've
since realized that the clear-text passwords are protected by the same
mechanism that protects your repository itself, namely, the file
system. If you're worried that that protection isn't sufficient for
your passwords, you shouldn't use it for your repository data, either
:-|
--
The one thing that unites all human beings, regardless of age,
gender, religion, economic status or ethnic background, is that
deep down inside, we all believe that we are above average
drivers.
-- Dave Barry
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnserve password store in clear text
Posted by Greg Hudson <gh...@MIT.EDU>.
On Wed, 2004-06-02 at 04:25, Ng, Wey Han wrote:
> I am wondering if the password be change to an encrypted form in the future?
> I have check the project home page and there is no mention to fix this in
> the plans.
As with most people who make this request, you're starting from the
(reasonable) misconception that the client transmits the password to the
server. That's not how it works; the server sends a challenge, and the
client sends a response proving that it knows the password. For this
"shared secret authentication" mechanism to work, the server has to know
the password itself, not a one-way hash of it.
There is a potential out here; the server and client only have to share
a secret, not necessarily the password itself. I will, at some point,
look into a way to make it so that the secret is a hash of the password
together with the authentication domain. I didn't do this initially
because (1) it's not how CRAM-MD5 is specified, and (2) it complicates
repository administration and requires us to provide an extra
command-line tool to perform the password encryption.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnserve password store in clear text
Posted by Garrett Rooney <ro...@electricjellyfish.net>.
kfogel@collab.net wrote:
> "Ng, Wey Han" <we...@atosorigin.com> writes:
>
>>I am wondering if the password be change to an encrypted form in the future?
>>I have check the project home page and there is no mention to fix this in
>>the plans.
>
>
> You mean a plan to be stored encrypted on disk?
>
> We don't plan to locally encrypt any passwords which are sent over the
> network in cleartext anyway. What specific access method did you have
> in mind?
Umm, we don't send those passwords over the network in cleartext.
-garrett
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnserve password store in clear text
Posted by kf...@collab.net.
"Ng, Wey Han" <we...@atosorigin.com> writes:
> I am wondering if the password be change to an encrypted form in the future?
> I have check the project home page and there is no mention to fix this in
> the plans.
You mean a plan to be stored encrypted on disk?
We don't plan to locally encrypt any passwords which are sent over the
network in cleartext anyway. What specific access method did you have
in mind?
-Karl
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org