Authenticated Proxy support

Anand Pillai abpillai at gmail.com
Thu Sep 1 09:21:30 BST 2005 

HarvestMan too does not store your username/password in cleartext.
In HarvestMan everything is specified in a config.xml file as PCDATA
or attributes of elements which dictate the configuration.
 
   HarvestMan uses a simple cyclic XOR obfuscation (not encryption)
combined with hexing to store the proxy server ip/name, proxy username
and proxy password to provide a simple kind of security.

 For example if your proxy information is as follows,

proxy server : proxy.mycompany.com
username: alice
password: bob

Inside the config.xml file HarvestMan converts them to the following

proxy server: 02701f671e305d2447284535543a436d0e610c
username: 0d61086b0e
password: 0d6200

Clearly this looks like junk to the less skilled hacker. However, it
can be cracked in less than a minute if u know what is happening ;-)

-Anand

On 9/1/05, Matthieu Moy <Matthieu.Moy at imag.fr> wrote:
> Martin Pool <martinpool at gmail.com> writes:
> 
> > On 9/1/05, Dhruva Krishnamurthy (RBIN/EDI3) *
> > <Dhruva.Krishnamurthy at in.bosch.com> wrote:
> >
> >>         I have faced big problems in trying to contribute to FSF/GNU
> >> projects (Emacs) as the version control they use (CVS/GNU Arch) does not
> >> support accessing remote repositories through authenticated proxy servers. I
> >> was wondering if Bazaar-NG has overcome this limitation.
> 
> I have a patch for authenticated proxy via ~/.authinfo in my archive
> for tla.
> 
> Bazaar 1.4 supports this without patching.
> 
> > Hi Dhruva,
> >
> > It looks like the urlgrabber module used by bzr will already support
> > proxy authentication, if you just set the environment variable
> > http_proxy=http://user:pass@proxy/
> 
> Nice, however, it would be nice to have another way to specify the
> password. I really don't like having passwords in environment
> variables.
> 
> My implementation with a ~/.authinfo in Bazaar is slightly more
> secure. Your password still appears in cleartext, but only in one
> file. Ideally, it would be an agent like ssh-agent, keeping my
> password secure when I'm not logged in.
> 
> --
> Matthieu
> 


-- 
Anand B Pillai,
Senior Technical Analyst,
IPG-DC, Hewlett-Packard India Pvt Ltd,
Near Forum,Adugodi,
Bangalore - 560030.

More information about the bazaar mailing list