[Ffmpeg-devel] SVN challenge response authentication weaknesses

Diego Biurrun diego
Sun May 28 12:17:46 CEST 2006


On Sat, May 27, 2006 at 10:12:18PM -0400, Rich Felker wrote:
> On Sun, May 28, 2006 at 12:04:59AM +0200, Diego Biurrun wrote:
> > On Sat, May 27, 2006 at 06:04:29PM -0400, Rich Felker wrote:
> > > On Sat, May 27, 2006 at 01:10:58PM +0200, Attila Kinali wrote:
> > > > 
> > > > But there is one thread that is more serious than any of these
> > > > above and a lot more likely to happen: If someone is able to
> > > > overtake one of the machines of a developer, he can simply
> > > > extract the svn password from the config files. Unlike with
> > > > ssh-keys those files are not encrypted!
> > > 
> > > No one kept their rsa keys encrypted anyway. If they did they'd
> > > have to enter a password each time they did anything with cvs,
> > > even read-only ops..
> > 
> > ssh-agent is your friend, with it you only have to type in your
> > passphrase once (in a while).
> 
> Then if someone cracks your system while your ssh-agent is active
> and remembering your passphrase, they can just extract it from the
> ssh-agent's core...

If somebody cracks your system in such a way it doesn't matter if
ssh-agent is running at the time or not.

ssh-agent increases security.  Passphrases are never sent over the
network and since using passphrases becomes less of a burden people are
more likely to actually use them.

Diego




More information about the ffmpeg-devel mailing list