info-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Please HELP : Reg CVS password Decrypting mechanism


From: Arvind Kanaka Raju
Subject: Please HELP : Reg CVS password Decrypting mechanism
Date: Fri, 12 Sep 2008 13:11:39 +0530

Hi Paul, Thanks a lot for your reply and it was very useful and I did guess
The same scenario though.. Your lines "If you can decrypt them, so can an 
attacker, who could then gain access to the system"

Doubts : When we create a new user, we use the crypt function with 
salt,random,pepper etc to create a encrypted password but the output 
string(encrypted password) is Given out as a different string everytime we run 
the crpyting script.

For Example:

Entered String : abcd

First run of Encyption Script: GprUM4jlw1WwY

Second run of Encyption Script: cAfUhQnwU4Ly2

Third run of Encyption Script: RW7h1x9Vtn1Ss

And so on it generates different strings....

Though they are different, the users are still authenticated successfully every 
time they login to the CVS rep. So how can we come to a conclusion that the 
user entered password are encrypted by CVS application and compared with the 
one in database. Just a doubt pls explain as I am naïve to this application.


My Question here: How does CVS application which takes in a user password from 
some desktop client encrypt it and compare it with the one stored rep/CVSROOT

1: Does CVS have an function call to the Unix system to do it?
2: Does CVS have an function call to the Unix system to decrypt it?


Thanks in advance!!!!!!
Arvind




Original Message-----
From: Paul Sander [mailto:address@hidden
Sent: Friday, September 12, 2008 12:14 PM
To: Arvind Kanaka Raju
Subject: Re: Please HELP : Reg CVS password Decrypting mechanism

Passwords are not normally decrypted.  In fact, the encryption is
usually "one way" so that it in fact cannot be decrypted.  If you can
decrypt them, so can an attacker, who could then gain access to the
system.

Instead, the user presents their password, then the application
encrypts it, and finally it compares the user's encrypted password
with the encrypted password stored in a database.  There may be
details like using matching "salt" values, which would be the first
two characters of the encrypted password stored in the database, or
fetching the saved encrypted password from a shadow database.  Such
details are specific to the operating system.

On Sep 11, 2008, at 5:50 AM, Arvind Kanaka Raju wrote:

> Hello, I am currently assigned as CVS Admin for an organization and
> my prime work includes creating, maintaining and adding new users
> to CVS repositories.
>
>
>
> My Requirement: I am currently trying to enable users to change
> their passwords by themselves which can be supported by a WEB Utility.
>
>
>
> But the prime hurdle that I am facing to proceed with designing the
> web utility  is that 'I am unable to decrypt passwords stored in
> <CVS Rep>/CVSROOT/passwd,
>
>
>
> this is very much needed for the deployment.
>
>
>
> Currently the CVS password encryption happens through a function
> called CRYPT.
>
>
>
> Kinldy Help
>
>
>
> Thanks in Advance
>
>
>
>  Arvind.K.R
>
> | Software Engineer |.
>
>
>
> | Infosys Technologies Limited - MCity| Mob: 9940104010|
>
> | address@hidden| www.infosys.com |
>
>
>
> **************** CAUTION - Disclaimer ***************** This e-mail
> contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely
> for the use of the addressee(s). If you are not the intended
> recipient, please notify the sender by e-mail and delete the
> original message. Further, you are not to copy, disclose, or
> distribute this e-mail or its contents to any other person and any
> such actions are unlawful. This e-mail may contain viruses. Infosys
> has taken every reasonable precaution to minimize this risk, but is
> not liable for any damage you may sustain as a result of any virus
> in this e-mail. You should carry out your own virus checks before
> opening the e-mail or attachment. Infosys reserves the right to
> monitor and review the content of all messages sent to or from this
> e-mail address. Messages sent to or from this e-mail address may be
> stored on the Infosys e-mail system. ***INFOSYS******** End of
> Disclaimer ********INFOSYS***
>





reply via email to

[Prev in Thread] Current Thread [Next in Thread]