[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cvs with xinetd
|
From: |
Larry Jones |
|
Subject: |
Re: cvs with xinetd |
|
Date: |
Thu, 3 May 2001 17:41:04 -0400 (EDT) |
address@hidden writes:
>
> The very fact that it uses the crypt(3) library function is why I believe it
> would "break". Suppose I use jCVS to connect to my CVS server, on which MD5
> passwords are used. Further suppose that I don't want to use the layered
> password protection that CVS provides because I'm on an internal network
> protected elsewhere. jCVS will create the password in-line with the fact
> that crypt(3) is used to generate it. However, the CVS pserver, not having
> a passwd file, will look in the system files and find a password that was
> generated with MD5. The passwords can't match, except by chance (and a long
> shot at that).
That's not how it works; only the server uses crypt(), not the client.
The client simply "scrambles" the password (using a very weak, well
documented, invertible mapping which is intended simply to protect the
password from casual observation; like a lock on a screen door, it
serves no purpose as far as security is concerned) and sends it to the
server. The server then unscrambles the password to recover the
original plain-text password and calls crypt() to compare it with the
reference encrypted password from the CVS passwd file or the system
passwd file.
-Larry Jones
I wonder what's on TV now. -- Calvin
- RE: cvs with xinetd, adam_montville, 2001/05/03
- Re: cvs with xinetd,
Larry Jones <=
- RE: cvs with xinetd, Adam W. Montville, 2001/05/03
- Re: cvs with xinetd, Larry Jones, 2001/05/04
- Re: cvs with xinetd, Peter Ajamian, 2001/05/05
- Re: cvs with xinetd, Larry Jones, 2001/05/05
- Re: cvs with xinetd, Peter Ajamian, 2001/05/05
- Re: cvs with xinetd, Peter Ajamian, 2001/05/05
- RE: cvs with xinetd, Gianni Mariani, 2001/05/06
RE: cvs with xinetd, USENBINZ, 2001/05/04