-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Remy Blank skrev 09. april 2009 14:11: > Eirik Schwenke wrote: >> *Not* sharing the authentication store for at the very least version >> control must surely be the exception ? > > Not around here, we use SSH for repository access, for both Subversion > and Mercurial. But I get your point, and I agree that for this reason, > htpasswd would make more sense as a default.
Still... I guess you use "some other" backend for trac, in order to have a web interface for managing access then? Otherwise using pam/ldap with both apache and ssh would make more sense? Btw any reason for preferring ssh+svn over mod_svn ? Any scalability issues, or just the fact that all your devs have shell access anyway? > The question is now: HtPasswdStore or HtDigestStore as a default? ;-) Hehe. My opinion is that HtDigest must die, but as ssl is pretty broken too, I guess this is a valid question. If only there was a widely available trust-based TLS implementation that worked (ie, no CA problem, no vhost problem) -- then I'd certainly want to kill off HtDigest support completely. While I'm too lazy to look up the RFC atm, if this: http://docstore.mik.ua/orelly/linux/apache/ch05_07.htm is correct, an attacker on eg. a shared lan/wlan would have a pretty hard time of precomputing the hashes: MD5(MD5(<password>)+":"+<nonce>+":"+MD5(<method>+":"+<uri>)) while a leaked htdigest-file would be pretty bad, as it contains an unsalted password: MD5(<password>). So bruteforcing a password "from the wire" is non-trivial for a non-trivial password - but a captured pw file is disastrous, given eg: http://project-rainbowcrack.com/ Much worse than a salted htpasswd-file. Well, worse, anyway. Incidentally, my current workstation does about 32 million iterations of md5 on 16 byte blocks per core, so if I'm not way off: small/caps+digits+symbols at 8 character passwords, four cores: ((26*2+10+10)**8)hashes/(32511400*4)hashes/sec = 5553468 secs or about 2 computermonths to bruteforce all 8 character passwords. A bit longer for all 1 to 8 character passwords -- but still not that bad. This is with no rainbowtables... Now considering we have about 10 workstations with the same specs here, and a total of 60 or so... and another 40+ servers... Or, for amazon ec2, between 400 and 5000 usd apparently... (would have to benchmark openssl/md5 on the various instances to know which instance makes most sense for this). We really need to get people to use encryption for this stuff... - -e - -- .---. Eirik Schwenke <[email protected]> ( NSD ) Harald HÃ¥rfagresgate 29 Rom 150 '---' N-5007 Bergen tlf: (555) 889 13 GPG-key at pgp.mit.edu Id 0x8AA3392C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknd/NEACgkQxUW7FIqjOSxR0gCeIxjHEZyS7Gg0wVxMGlgUaPxy sq8AnA6R3SWoc0x0+avTvTUQyhYNHsn8 =XCbj -----END PGP SIGNATURE----- --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Development" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/trac-dev?hl=en -~----------~----~----~----~------~----~------~--~---
