On 11/02/2015 01:50 AM, Aaron Digulla wrote:
They are encoded with CRAM-MD5 (https://en.wikipedia.org/wiki/CRAM-MD5) You can see that in the source code: https://svn.apache.org/repos/asf/subversion/trunk/subversion/libsvn_ra_svn/i...
See the Wikipedia page for weaknesses. In general, CRAM-MD5 is better than clear passwords but vulnerable to man-in-the-middle attacks or brute force.
Thanks Aaron. The user-base is limited to one Class-B subnet, so man-in-the-middle attacks aren't too much of a risk in this case. Regarding brute force attacks, I've got PAM configured to lock out more than three bad guesses for 15-minutes using the pam_tally2 plugin. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org