Menu
▾
▴
Re: [Gaim-cabal] pidgin.im jabber server questions
|
From: Daniel A. <dan...@gm...> - 2006-10-24 21:40:46
|
On 10/24/06, Ethan Blanton <el...@ps...> wrote: > Daniel Atallah spake unto us the following wisdom: > > The password is hashed and the hash stored it in a htdigest2 compatible file. > > Hashed with a real hash, and as such safe on disk? I guess I didn't honestly know the answer to that - so I looked. It is a MD5 hash, of username:realm:password. Source: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/support/htdigest.c?revision=421178&view=markup > Can trac be made to use SSL only for logins/etc., and non-SSL for > everything else? I assume we don't want SSL for the entire tracker > and wiki. If this is the case, can we get a self-signed certificate > installed temporarily? I'm assuming that we can use SSL just for auth - I'll have to try it. I'll get back to y'all about this. > > > Someone motivated could probably without much difficulty update the > > AccountManagerPlugin to be capable to hash the password in javascript > > and send the hash - that would be neat. > > That hash would be plaintext-equivalent, though, so while it wouldn't > disclose the password you typed in, it wouldn't fix anything about > plaintext login. Sure, I was thinking more from a perspective of having to use a throwaway password. A real digest based auth with a nonce word and stuff would be a lot more work. -D |
