[Ffmpeg-devel] SVN challenge response authentication weaknesses

Rich Felker dalias
Sun May 28 04:12:18 CEST 2006


On Sun, May 28, 2006 at 12:04:59AM +0200, Diego Biurrun wrote:
> On Sat, May 27, 2006 at 06:04:29PM -0400, Rich Felker wrote:
> > On Sat, May 27, 2006 at 01:10:58PM +0200, Attila Kinali wrote:
> > > 
> > > But there is one thread that is more serious than any of these
> > > above and a lot more likely to happen: If someone is able to
> > > overtake one of the machines of a developer, he can simply
> > > extract the svn password from the config files. Unlike with
> > > ssh-keys those files are not encrypted!
> > 
> > No one kept their rsa keys encrypted anyway. If they did they'd have
> > to enter a password each time they did anything with cvs, even
> > read-only ops..
> 
> ssh-agent is your friend, with it you only have to type in your
> passphrase once (in a while).

Then if someone cracks your system while your ssh-agent is active and
remembering your passphrase, they can just extract it from the
ssh-agent's core...

Rich





More information about the ffmpeg-devel mailing list