[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

sasl mechanisms order

From: Victor Sudakov <sudakov_at_sibptus.tomsk.ru>
Date: Tue, 27 Jul 2010 14:50:04 +0700

Colleagues,

I have subversion-1.6.12 compiled with cyrus-sasl-2.1.23 from ports,
FreeBSD 6.4.

I need to guarantee that the subversion client/server will always use
the GSSAPI mechanism before DIGEST-MD5. In a more general sense, one
may need to set the order of SASL mechanisms for authenticated users.

However it seems that there is a stalemate situation.

According to Daniel Shahaf, the subversion client uses the
server-reported mechanisms, in the order suggested by the server.
"There is no knob that lets you manipulate the order in the client."
Please see the thread "sasl mechanisms order" in users@ for more
details.

According to Alec Kloss, "the order of the offered mechanisms from
Cyrus sasl is, by default, the reverse of the order that the library
finds them. This would be, in effect, the reverse physical directory
order of the modules in /usr/[local]/lib/sasl2/ which you can find
with ls -U. [...]Cyrus SASL believes it's the client that should
select the preferred mechanism from the list offered by the server,
not just the first one."

All this means that if perchance I touch a file in
/usr/local/lib/sasl2/, my Kerberos SSO can stop working.

Could we think of a way to manipulate the order? Perhaps svn needs an
option like the one OpenLDAP utilities have:

-Y mech
Specify the SASL mechanism to be used for authentication.

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov_at_sibptus.tomsk.ru
Received on 2010-07-27 09:50:46 CEST

This is an archived mail posted to the Subversion Dev mailing list.