Question about svnserve and security

[Don Adams <da...@scisol.com>]

Hello all...I was hoping somebody could answer this question. I can't
seem to find a definitive answer. How secure is the custon protocol
svnserve? I know it uses CRAM-MD5 so the password never goes out on the
wire in the clear, and it seems that many, or most people use it with
SSH to provide an encrypted tunnel. What we want to do is just open up
the port for svnserve and NOT use SSH. We do not care if the data is
encrypted or not, we do care if the password goes over the wire though.
 
How much of a risk is just providing direct access to the svnserve port?
 
Any help would be great, because we are CVS users wanting to move to
SVN, but this is a hot topic right now. Thanks in advance!!
 
Don
 

Re: Question about svnserve and security

[Karl Fogel <kf...@google.com>]

"Garrett Rooney" <ro...@electricjellyfish.net> writes:
> On 9/18/06, Don Adams <da...@scisol.com> wrote:
>> Hello all...I was hoping somebody could answer this question. I can't seem
>> to find a definitive answer. How secure is the custon protocol svnserve? I
>> know it uses CRAM-MD5 so the password never goes out on the wire in the
>> clear, and it seems that many, or most people use it with SSH to provide an
>> encrypted tunnel. What we want to do is just open up the port for svnserve
>> and NOT use SSH. We do not care if the data is encrypted or not, we do care
>> if the password goes over the wire though.
>
> svnserve uses CRAM-MD5 authentication, so the password itself never
> goes over the wire, just an md5 hash of it.

Technically, an md5 hash of the plaintext password plus some random
salt, I believe, so that it's a different hash every time.  You
probably both knew this, I just wanted to clarify for onlookers,
because the salt makes a big security difference.

-Karl

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Question about svnserve and security

[Garrett Rooney <ro...@electricjellyfish.net>]

On 9/18/06, Don Adams <da...@scisol.com> wrote:
>
>
>
> Hello all...I was hoping somebody could answer this question. I can't seem
> to find a definitive answer. How secure is the custon protocol svnserve? I
> know it uses CRAM-MD5 so the password never goes out on the wire in the
> clear, and it seems that many, or most people use it with SSH to provide an
> encrypted tunnel. What we want to do is just open up the port for svnserve
> and NOT use SSH. We do not care if the data is encrypted or not, we do care
> if the password goes over the wire though.

svnserve uses CRAM-MD5 authentication, so the password itself never
goes over the wire, just an md5 hash of it.

-garrett

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Question about svnserve and security

[Ivan Aleman <bo...@gmail.com>]

> to find a definitive answer. How secure is the custon protocol svnserve? I
> know it uses CRAM-MD5 so the password never goes out on the wire in the
> clear, and it seems that many, or most people use it with SSH to provide an
> encrypted tunnel. What we want to do is just open up the port for svnserve
> and NOT use SSH. We do not care if the data is encrypted or not, we do care
> if the password goes over the wire though.
>
> How much of a risk is just providing direct access to the svnserve port?
>
Describe your scenario, are you guys planning to use http, your team
is working inside a LAN or is your team located in different places
(countries / states) ?

Maybe this links will help you
http://svnbook.red-bean.com/nightly/en/svn-book.html#svn.advanced.reposurls

http://svnbook.red-bean.com/nightly/en/svn-book.html#svn.basic.in-action

-- 
Iván Alemán ~ [[ Debian (Sid) ]] ~
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
G!>GCM d+ s: a? C+++ UL++ P L+>+++$ E--- W++>+ N* o--- K- w O- M+ V--
PS++ PE-- Y PGP+>++ t-- 5 X R+ !tv b++ DI-- D+++ G+ e++ h* r+ z*>*$
------END GEEK CODE BLOCK------
bonovoxmofo.blogspot.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org