info-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Please HELP : Reg CVS password Decrypting mechanism


From: Todd Denniston
Subject: Re: Please HELP : Reg CVS password Decrypting mechanism
Date: Fri, 12 Sep 2008 08:15:10 -0400
User-agent: Thunderbird 2.0.0.16 (X11/20080707)

Just feeling terse this morning, so answers are very short.

Arvind Kanaka Raju wrote, On 09/12/2008 03:41 AM:
Hi Paul, Thanks a lot for your reply and it was very useful and I did guess
The same scenario though.. Your lines "If you can decrypt them, so can an attacker, 
who could then gain access to the system"

Doubts : When we create a new user, we use the crypt function with 
salt,random,pepper etc to create a encrypted password but the output 
string(encrypted password) is Given out as a different string everytime we run 
the crpyting script.

For Example:

Entered String : abcd

First run of Encyption Script: GprUM4jlw1WwY
openssl passwd -salt Gpr
Password:abcd
GprUM4jlw1WwY


Second run of Encyption Script: cAfUhQnwU4Ly2
openssl passwd -salt cAf
Password:abcd
cAfUhQnwU4Ly2


Third run of Encyption Script: RW7h1x9Vtn1Ss

openssl passwd -salt RW7
Password:
RW7h1x9Vtn1Ss


And so on it generates different strings....

Though they are different, the users are still authenticated successfully every 
time they login to the CVS rep. So how can we come to a conclusion that the 
user entered password are encrypted by CVS application and compared with the 
one in database. Just a doubt pls explain as I am naïve to this application.


My Question here: How does CVS application which takes in a user password from 
some desktop client encrypt it and compare it with the one stored rep/CVSROOT

1: Does CVS have an function call to the Unix system to do it?
2: Does CVS have an function call to the Unix system to decrypt it?

man crypt




Thanks in advance!!!!!!
Arvind




Original Message-----
From: Paul Sander [mailto:address@hidden
Sent: Friday, September 12, 2008 12:14 PM
To: Arvind Kanaka Raju
Subject: Re: Please HELP : Reg CVS password Decrypting mechanism

Passwords are not normally decrypted.  In fact, the encryption is
usually "one way" so that it in fact cannot be decrypted.  If you can
decrypt them, so can an attacker, who could then gain access to the
system.

Instead, the user presents their password, then the application
encrypts it, and finally it compares the user's encrypted password
with the encrypted password stored in a database.  There may be
details like using matching "salt" values, which would be the first
two characters of the encrypted password stored in the database, or
fetching the saved encrypted password from a shadow database.  Such
details are specific to the operating system.

On Sep 11, 2008, at 5:50 AM, Arvind Kanaka Raju wrote:

Hello, I am currently assigned as CVS Admin for an organization and
my prime work includes creating, maintaining and adding new users
to CVS repositories.



My Requirement: I am currently trying to enable users to change
their passwords by themselves which can be supported by a WEB Utility.



But the prime hurdle that I am facing to proceed with designing the
web utility  is that 'I am unable to decrypt passwords stored in
<CVS Rep>/CVSROOT/passwd,



this is very much needed for the deployment.



Currently the CVS password encryption happens through a function
called CRYPT.



Kinldy Help



Thanks in Advance



 Arvind.K.R

| Software Engineer |.



| Infosys Technologies Limited - MCity| Mob: 9940104010|

| address@hidden| www.infosys.com |



**************** CAUTION - Disclaimer ***************** This e-mail
contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely
for the use of the addressee(s). If you are not the intended
recipient, please notify the sender by e-mail and delete the
original message. Further, you are not to copy, disclose, or
distribute this e-mail or its contents to any other person and any
such actions are unlawful. This e-mail may contain viruses. Infosys
has taken every reasonable precaution to minimize this risk, but is
not liable for any damage you may sustain as a result of any virus
in this e-mail. You should carry out your own virus checks before
opening the e-mail or attachment. Infosys reserves the right to
monitor and review the content of all messages sent to or from this
e-mail address. Messages sent to or from this e-mail address may be
stored on the Infosys e-mail system. ***INFOSYS******** End of
Disclaimer ********INFOSYS***







--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter




reply via email to

[Prev in Thread] Current Thread [Next in Thread]