Am Sonntag, 01. November 2015 21:54 CET, Lew Wolfgang <wolfgang@sweet-haven.com> schrieb:
Hi Folks,
Given the stock openSUSE subversion install, does anyone know how usernames/passwords are sent over the wire? The specifics for my server setup are SASL enabled with saslauthd configured for PAM. The documentation is confusing, but I think it says that CRAM-MD5 is used for authentication. I know that the repo content isn't encrypted, but I'm worried about the passwords.
I've got it all working with PAM authenticating with krb5 on the backend, and I've sniffed the wire with tcpdump, and don't see any cleartext or base-64 encoded passwords, but I'm still worried.
Are passwords sent in the clear? Or are they trivially encoded? Or?
They are encoded with CRAM-MD5 (https://en.wikipedia.org/wiki/CRAM-MD5) You can see that in the source code: https://svn.apache.org/repos/asf/subversion/trunk/subversion/libsvn_ra_svn/i... See the Wikipedia page for weaknesses. In general, CRAM-MD5 is better than clear passwords but vulnerable to man-in-the-middle attacks or brute force. Regards, -- Aaron "Optimizer" Digulla a.k.a. Philmann Dark "It's not the universe that's limited, it's our imagination. Follow me and I'll show you something beyond the limits." http://blog.pdark.de/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org