[Ffmpeg-devel] SVN challenge response authentication weaknesses
Sun May 28 12:17:46 CEST 2006
On Sat, May 27, 2006 at 10:12:18PM -0400, Rich Felker wrote:
> On Sun, May 28, 2006 at 12:04:59AM +0200, Diego Biurrun wrote:
> > On Sat, May 27, 2006 at 06:04:29PM -0400, Rich Felker wrote:
> > > On Sat, May 27, 2006 at 01:10:58PM +0200, Attila Kinali wrote:
> > > >
> > > > But there is one thread that is more serious than any of these
> > > > above and a lot more likely to happen: If someone is able to
> > > > overtake one of the machines of a developer, he can simply
> > > > extract the svn password from the config files. Unlike with
> > > > ssh-keys those files are not encrypted!
> > >
> > > No one kept their rsa keys encrypted anyway. If they did they'd
> > > have to enter a password each time they did anything with cvs,
> > > even read-only ops..
> > ssh-agent is your friend, with it you only have to type in your
> > passphrase once (in a while).
> Then if someone cracks your system while your ssh-agent is active
> and remembering your passphrase, they can just extract it from the
> ssh-agent's core...
If somebody cracks your system in such a way it doesn't matter if
ssh-agent is running at the time or not.
ssh-agent increases security. Passphrases are never sent over the
network and since using passphrases becomes less of a burden people are
more likely to actually use them.
More information about the ffmpeg-devel