[opensuse] svnserve passwords in transit question
Hi Folks, Given the stock openSUSE subversion install, does anyone know how usernames/passwords are sent over the wire? The specifics for my server setup are SASL enabled with saslauthd configured for PAM. The documentation is confusing, but I think it says that CRAM-MD5 is used for authentication. I know that the repo content isn't encrypted, but I'm worried about the passwords. I've got it all working with PAM authenticating with krb5 on the backend, and I've sniffed the wire with tcpdump, and don't see any cleartext or base-64 encoded passwords, but I'm still worried. Are passwords sent in the clear? Or are they trivially encoded? Or? (I know about svn+ssh and webdav-tls, but I can't do those for a number of reasons) Thanks in advance, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/01/2015 01:15 PM, Carlos E. R. wrote:
On 2015-11-01 21:54, Lew Wolfgang wrote:
Are passwords sent in the clear? Or are they trivially encoded? Or? I /think/ it uses either ssh or https for transactions. But I'm not sure.
Right, there are several ways to connect. I don't want to do ssh because most of the svn users don't have accounts on the server. I think there are also issues with file-locking when access is directly provided to the repo. https requires Apache and certs, I can't do this for various "IA" policy reasons. Connections here are made to the svnserve daemon on TCP port 3690 using any one of several clients. The Windows folks use TortoiseSVN, the Linux-heads use kdesvn or the command-line svn program. It's the connection from svn client to the svn server that I'm worried about. Passwords aren't stored on the server since I'm using PAM/Kerberos, so that's not an issue. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-11-01 22:52, Lew Wolfgang wrote:
On 11/01/2015 01:15 PM, Carlos E. R. wrote:
On 2015-11-01 21:54, Lew Wolfgang wrote:
It's the connection from svn client to the svn server that I'm worried about. Passwords aren't stored on the server since I'm using PAM/Kerberos, so that's not an issue.
Then I'm afraid I can't help much, as my experience is on the client side only... I have to give the password only once in a lifetime, afterwards the credentials are stored for ever (I'm unsure where, there is no .svn folder). Ah, yes, it is in ~/.subversion/). I can see my password stored there in plain text. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 11/02/2015 04:07 AM, Carlos E. R. wrote:
On 2015-11-01 22:52, Lew Wolfgang wrote:
It's the connection from svn client to the svn server that I'm worried about. Passwords aren't stored on the server since I'm using PAM/Kerberos, so that's not an issue.
I have to give the password only once in a lifetime, afterwards the credentials are stored for ever (I'm unsure where, there is no .svn folder). Ah, yes, it is in ~/.subversion/). I can see my password stored there in plain text.
Yup, but you can configure svn to use a "wallet" for local password storage. kdesvn uses kwallet by default. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am Sonntag, 01. November 2015 21:54 CET, Lew Wolfgang <wolfgang@sweet-haven.com> schrieb:
Hi Folks,
Given the stock openSUSE subversion install, does anyone know how usernames/passwords are sent over the wire? The specifics for my server setup are SASL enabled with saslauthd configured for PAM. The documentation is confusing, but I think it says that CRAM-MD5 is used for authentication. I know that the repo content isn't encrypted, but I'm worried about the passwords.
I've got it all working with PAM authenticating with krb5 on the backend, and I've sniffed the wire with tcpdump, and don't see any cleartext or base-64 encoded passwords, but I'm still worried.
Are passwords sent in the clear? Or are they trivially encoded? Or?
They are encoded with CRAM-MD5 (https://en.wikipedia.org/wiki/CRAM-MD5) You can see that in the source code: https://svn.apache.org/repos/asf/subversion/trunk/subversion/libsvn_ra_svn/i... See the Wikipedia page for weaknesses. In general, CRAM-MD5 is better than clear passwords but vulnerable to man-in-the-middle attacks or brute force. Regards, -- Aaron "Optimizer" Digulla a.k.a. Philmann Dark "It's not the universe that's limited, it's our imagination. Follow me and I'll show you something beyond the limits." http://blog.pdark.de/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/02/2015 01:50 AM, Aaron Digulla wrote:
They are encoded with CRAM-MD5 (https://en.wikipedia.org/wiki/CRAM-MD5) You can see that in the source code: https://svn.apache.org/repos/asf/subversion/trunk/subversion/libsvn_ra_svn/i...
See the Wikipedia page for weaknesses. In general, CRAM-MD5 is better than clear passwords but vulnerable to man-in-the-middle attacks or brute force.
Thanks Aaron. The user-base is limited to one Class-B subnet, so man-in-the-middle attacks aren't too much of a risk in this case. Regarding brute force attacks, I've got PAM configured to lock out more than three bad guesses for 15-minutes using the pam_tally2 plugin. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 02.11.2015 um 16:35 schrieb Lew Wolfgang:
On 11/02/2015 01:50 AM, Aaron Digulla wrote:
They are encoded with CRAM-MD5 (https://en.wikipedia.org/wiki/CRAM-MD5) You can see that in the source code: https://svn.apache.org/repos/asf/subversion/trunk/subversion/libsvn_ra_svn/i...
See the Wikipedia page for weaknesses. In general, CRAM-MD5 is better than clear passwords but vulnerable to man-in-the-middle attacks or brute force.
Thanks Aaron. The user-base is limited to one Class-B subnet, so man-in-the-middle attacks aren't too much of a risk in this case.
Regarding brute force attacks, I've got PAM configured to lock out more than three bad guesses for 15-minutes using the pam_tally2 plugin.
Err... The brute force attack sniffs the encoded password from the network and then tries to produce an input which yields the same output. Your server isn't going to see that. Regards, -- Aaron "Optimizer" Digulla a.k.a. Philmann Dark "It's not the universe that's limited, it's our imagination. Follow me and I'll show you something beyond the limits." http://blog.pdark.de/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Aaron Digulla -
Carlos E. R. -
Lew Wolfgang