Re: svnserve + SASL: Only works with plaintext 'userPassword', so what's the point?
On Wed, Jan 26, 2011 at 9:26 PM, Stefan Sperling <stsp_at_elego.de> wrote:
> On Wed, Jan 26, 2011 at 07:08:55PM -0700, Donner, Sean P wrote:
>> > It's because of how CramMD5 works.
>> > "The server needs access to the users' plain text passwords."
>> > http://en.wikipedia.org/wiki/CRAM-MD5
>> > Stefan
>> Perhaps I'm wrong, but I was under the impression that the 1.6.x version of
>> 'svnserve' natively supports CRAM-MD5; meaning you *don't* need to set
>> 'use-sasl = true' to get this functionality.
> That's correct. But you can still configure SASL do to CRAM-MD5.
> So there might be a bug in svn.
> Maybe it still assumes that plaintext passwords will always be present.
>> So my original question stands as
>> to what SASL is buying us when it still requires plain-text passwords to be
>> stored on the server?
> Unfortunately the sasl stuff is not being maintained very actively.
> The developers who wrote it aren't active anymore.
> There are a couple of outstanding issues (some with half-done patches
> floating around) that haven't been addressed due to lack of interest
> and resources.
> So if you want to help out with investigating this problem more closely
> and possibly also help with fixing this the Subversion project would
> be grateful.
Or switch to svn+ssh for SSH key based access, which has other advantages.
Received on 2011-01-27 08:52:04 CET
This is an archived mail posted to the Subversion Users