You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by W J <wj...@yahoo.com> on 2004/10/25 09:17:04 UTC
storing user passwords in non-cleartext form in password-db file
Hi,
Is there a way to store the passwords configured in
the password file (pointed to by password-db) in
non-cleartext form?
I realize that obscurity is not security, but in my
case, our development is based on trust, so I am not
worried about security at all. We need some way of
authenticating users (to know who made each change to
the sources), and I want to avoid seeing the other
users' password in plaintext.
Thanks,
Walter J.
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: storing user passwords in non-cleartext form in password-db file
Posted by W J <wj...@yahoo.com>.
I think the password-db is on the server side, and not
part of the client caching mechanism.
It is used for authentication when using the basic SVN
protocol (not the svn+ssh). I would like this password
file to have obscured user passwords, so that I could
avoid typing all my user's passwords in cleartext
(it's a privacy issue, not a security issue).
WJ
--- Eric Gillespie <ep...@pretzelnet.org> wrote:
> W J <wj...@yahoo.com> writes:
>
> > Is there a way to store the passwords configured
> in
> > the password file (pointed to by password-db) in
> > non-cleartext form?
>
> In 1.1.x, you can turn off password caching with the
> store-passwords option.
>
> --
> Eric Gillespie <*> epg@pretzelnet.org
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail:
> users-help@subversion.tigris.org
>
>
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: storing user passwords in non-cleartext form in password-db file
Posted by Eric Gillespie <ep...@pretzelnet.org>.
W J <wj...@yahoo.com> writes:
> Is there a way to store the passwords configured in
> the password file (pointed to by password-db) in
> non-cleartext form?
In 1.1.x, you can turn off password caching with the
store-passwords option.
--
Eric Gillespie <*> epg@pretzelnet.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: storing user passwords in non-cleartext form in password-db file
Posted by Jim Hague <ji...@fluffy.bear-cave.org.uk>.
In article <20...@web14521.mail.yahoo.com>,
W J <wj...@yahoo.com> wrote:
>Assume the developer used svn+ssh:// to check out
>sources.
>When she wants to commit the changes, will she have to
>use the "--username" argument, or does svn remember
>that the checkout was done remotely, and use the cache
>/ prompt her for a password (allowing her to omit the
>annoying --username argument)?
On Linux and AIX the --username argument doesn't seem to work for me.
I specify the username in the URL, e.g. svn+ssh://jim@svnhost.org/.
This is obviously retained, and I am prompted for the password on future
sessions as you'd expect. I use svn+ssh: in conjunction with ssh-agent to avoid
RSI from password typing.
--
Jim Hague - jim@bear-cave.org.uk Never trust a computer you can't lift.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: storing user passwords in non-cleartext form in password-db file
Posted by Jeroen Leenarts <le...@tiscali.nl>.
I believe that's something that has to be arranges within the specific
users ssh client. I recall somethin about a some agent command line tool
for Putty to cache credentials in memory on the client side.
It is something that has to be configured on the client's ssh
implementation.
Jeroen
W J wrote:
>Thanks for the reply, I have a follow-up question:
>
>Assume the developer used svn+ssh:// to check out
>sources.
>When she wants to commit the changes, will she have to
>use the "--username" argument, or does svn remember
>that the checkout was done remotely, and use the cache
>/ prompt her for a password (allowing her to omit the
>annoying --username argument)?
>
>Thanks,
>WJ
>
>--- Max Bowsher <ma...@ukf.net> wrote:
>
>
>
>>W J wrote:
>>
>>
>>>Hi,
>>>Is there a way to store the passwords configured
>>>
>>>
>>in
>>
>>
>>>the password file (pointed to by password-db) in
>>>non-cleartext form?
>>>I realize that obscurity is not security, but in
>>>
>>>
>>my
>>
>>
>>>case, our development is based on trust, so I am
>>>
>>>
>>not
>>
>>
>>>worried about security at all. We need some way of
>>>authenticating users (to know who made each change
>>>
>>>
>>to
>>
>>
>>>the sources), and I want to avoid seeing the other
>>>users' password in plaintext.
>>>
>>>
>>This is not currently possible with plain svn://
>>access.
>>
>>Yes, it probably ought to be.
>>
>>For now, the available workarounds are:
>>
>> Use svn+ssh://
>> Use http[s]://
>>
>>Max.
>>
>>
>>
>>
>
>
>
>
>_______________________________
>Do you Yahoo!?
>Declare Yourself - Register online to vote today!
>http://vote.yahoo.com
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
>For additional commands, e-mail: users-help@subversion.tigris.org
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: storing user passwords in non-cleartext form in password-db file
Posted by W J <wj...@yahoo.com>.
Thanks for the reply, I have a follow-up question:
Assume the developer used svn+ssh:// to check out
sources.
When she wants to commit the changes, will she have to
use the "--username" argument, or does svn remember
that the checkout was done remotely, and use the cache
/ prompt her for a password (allowing her to omit the
annoying --username argument)?
Thanks,
WJ
--- Max Bowsher <ma...@ukf.net> wrote:
> W J wrote:
> > Hi,
> > Is there a way to store the passwords configured
> in
> > the password file (pointed to by password-db) in
> > non-cleartext form?
> > I realize that obscurity is not security, but in
> my
> > case, our development is based on trust, so I am
> not
> > worried about security at all. We need some way of
> > authenticating users (to know who made each change
> to
> > the sources), and I want to avoid seeing the other
> > users' password in plaintext.
>
> This is not currently possible with plain svn://
> access.
>
> Yes, it probably ought to be.
>
> For now, the available workarounds are:
>
> Use svn+ssh://
> Use http[s]://
>
> Max.
>
>
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: storing user passwords in non-cleartext form in password-db file
Posted by Max Bowsher <ma...@ukf.net>.
W J wrote:
> Hi,
> Is there a way to store the passwords configured in
> the password file (pointed to by password-db) in
> non-cleartext form?
> I realize that obscurity is not security, but in my
> case, our development is based on trust, so I am not
> worried about security at all. We need some way of
> authenticating users (to know who made each change to
> the sources), and I want to avoid seeing the other
> users' password in plaintext.
This is not currently possible with plain svn:// access.
Yes, it probably ought to be.
For now, the available workarounds are:
Use svn+ssh://
Use http[s]://
Max.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: storing user passwords in non-cleartext form in password-db file
Posted by kf...@collab.net.
W J <wj...@yahoo.com> writes:
> Is there a way to store the passwords configured in
> the password file (pointed to by password-db) in
> non-cleartext form?
> I realize that obscurity is not security, but in my
> case, our development is based on trust, so I am not
> worried about security at all. We need some way of
> authenticating users (to know who made each change to
> the sources), and I want to avoid seeing the other
> users' password in plaintext.
Do you mean scramble passwords so someone seeing a password
accidentally won't be able to read it?
CVS does something like this in the ~/.cvspass file. But the encoding
is static and easily cracked, and this is by necessity, since CVS
itself has to be able to unscramble it, without reference to any
meta-passwords. Thus it's only a protection against accidentally
exposing your password to basically trustworthy people. It offers no
protection against people actively cracking the password. The file's
permissions are the only protection against that.
Note that CVS sends the scrambled version over the wire. Subversion
already avoids doing that over svn://, and of course the http://
authentication protocol is beyond Subversion's control. Therefore,
one of the main purposes of CVS's scrambling does not apply to
Subversion. This is one of the reasons we have not implemented it.
By the way, when I say "no protection", I mean: here's a Perl script
that descrambles CVS passwords :-). If Subversion were to offer a
similar feature, a script like this could be written for Subversion.
--------------------8-<-------cut-here---------8-<-----------------------
#!/usr/bin/perl -w
use strict;
sub scramble_password ()
{
my $plaintext = shift;
my @shifts =
(
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
114,120, 53, 79, 96,109, 72,108, 70, 64, 76, 67,116, 74, 68, 87,
111, 52, 75,119, 49, 34, 82, 81, 95, 65,112, 86,118,110,122,105,
41, 57, 83, 43, 46,102, 40, 89, 38,103, 45, 50, 42,123, 91, 35,
125, 55, 54, 66,124,126, 59, 47, 92, 71,115, 78, 88,107,106, 56,
36,121,117,104,101,100, 69, 73, 99, 63, 94, 93, 39, 37, 61, 48,
58,113, 32, 90, 44, 98, 60, 51, 33, 97, 62, 77, 84, 80, 85,223,
225,216,187,166,229,189,222,188,141,249,148,200,184,136,248,190,
199,170,181,204,138,232,218,183,255,234,220,247,213,203,226,193,
174,172,228,252,217,201,131,230,197,211,145,238,161,179,160,212,
207,221,254,173,202,146,224,151,140,196,205,130,135,133,143,246,
192,159,244,239,185,168,215,144,139,165,180,157,147,186,214,176,
227,231,219,169,175,156,206,198,129,164,150,210,154,177,134,127,
182,128,158,208,162,132,167,209,149,241,153,251,237,236,171,195,
243,233,253,240,194,250,191,155,142,137,245,235,163,242,178,152
);
my @plainnums = unpack ('C*', $plaintext);
my @scrambled_nums;
my $scrambled_text = "";
foreach my $num (@plainnums) {
push @scrambled_nums, ($shifts[$num]);
}
$scrambled_text = pack ('C*', @scrambled_nums);
return "A${scrambled_text}";
}
my $password = shift || die ("Need an argument -- the password to scramble.");
my $scrambled_password = &scramble_password ($password);
print "${scrambled_password}\n";
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org