Hey folks,
I finally have something for you to play with. Before I get into
details, here are a few things you should know:
1. To implement security layers (i.e. encryption) I used the
svn_ra_svn_stream_t implementation from the svnserve-ssl branch.
2. I haven't tested this patch with GSSAPI or KERBEROS_V4. If you have
a working Kerberos setup, you are encouraged to try this out.
3. No win32 support yet.
To test this:
- Install Cyrus SASL version 2.0.0 or later
- Put this in your svnserve.conf:
[sasl]
use-sasl = true
min-enc-strength = 0
max-enc-strenght = 256
min-enc-strength and max-enc-strength are the minimum and maximum encryption
strengths that you want SASL to provide. 0 means no encryption, 1
means integriy-checking only, and values greater than 1 correspond to
the key length, in bits. Both options default to 0 at the moment.
- Put this in your /usr/lib/sasl2/Subversion.conf :
pwcheck_method: auxprop
mech_list: ANONYMOUS CRAM-MD5 DIGEST-MD5 .. etc
Cyrus SASL also supports another password-checking method via a
standalone daemon, saslauthd. It only works with plaintext passwords
though, so until we have SSL support for ra_svn, it doesn't make much
sense to use it.
There are many more options that you can specify. See the SASL docs
for details.
- Add users to the password database:
# saslpasswd2 -c user -u realm -a Subversion
Replace realm with the realm specified in svnserve.conf.
- Make sure the user who owns svnserve has read access to the password
database (usually /etc/sasldb2). If you are going to use OTP you also
need write access.
[[[
Fix issue #1144: Add full SASL authentication support to ra_svn.
* configure.in:
Define SVN_HAVE_SASL.
* subversion/include/svn_config.h
(SVN_CONFIG_SECTION_SASL): New section.
(SVN_CONFIG_OPTION_USE_SASL,
SVN_CONFIG_OPTION_MIN_ENC_STRENGTH,
SVN_CONFIG_OPTION_MAX_ENC_STRENGTH): New options.
* subversion/libsvn_repos/repos.c
(create_conf): Change default contents of svnserve.conf
to document the new options.
* subversion/libsvn_ra_svn/client.c
(ra_svn_session_baton_t): Moved to ra_svn.h and renamed to
svn_ra_svn__session_baton_t. Changed all occurrences to reflect this.
(find_mech, read_success): Moved to simple_auth.c.
(do_auth): Moved to trivial_auth.c and renamed to svn_ra_svn__handle_auth.
(auth_response): Renamed to svn_ra_svn__auth_response.
(svn_ra_svn__init): Call svn_ra_svn__sasl_init.
(make_tunnel). Don't set conn->proc. It doesn't exist anymore.
* subversion/libsvn_ra_svn/ra_svn_sasl.h: New file.
* subversion/libsvn_ra_svn/sasl_auth.c: New file.
* subversion/libsvn_ra_svn/simple_auth.c: New file. Contains
functions taken from client.c.
* subversion/libsvn_ra_svn/streams.c: New file (copied from the
svnserve-ssl branch).
(sock_read_cb): Instead of always setting the timeout on sock to 0
after the read,
set it to the value before the read.
* subversion/libsvn_ra_svn/marshal.c: See r19264, r19283 and r19368.
* subversion/libsvn_ra_svn/ra_svn.h
(pending_fn_t, timeout_fn_t, svn_ra_svn_stream_t): New typedefs.
(svn_ra_svn_conn_st): Added new member: is_encrypted.
Removed "in_file", "out_file", and "proc" members
in favor of "in_stream" and "out_stream".
(svn_ra_svn__session_baton_t): New typedef. Copied from client.c.
(svn_ra_svn__stream_pair_from_sock,
svn_ra_svn__stream_pair_from_files,
svn_ra_svn__stream_create,
svn_ra_svn__stream_write
svn_ra_svn__stream_read,
svn_ra_svn__stream_timeout,
svn_ra_svn__stream_pending,
svn_ra_svn__handle_auth,
svn_ra_svn__auth_response,
svn_ra_svn__sasl_init): New declarations.
* subversion/svnserve/sasl_auth.c: New file
* subversion/svnserve/serve.c
(server_baton_t): Added new member: use_sasl. Moved to server.h.
(authn_type, access_type): Moved to server.h.
(get_access): This function is now public.
(auth_request): Renamed to simple_auth_request.
(auth_request): New function. Calls simple_auth_request or
sasl_auth_request.
(must_have_access): Also use the value of b->use_sasl to determine
whether or not an authentication request should be performed.
(find_repos): Read the value of SVN_CONFIG_OPTION_USE_SASL. Put it
in b->use_sasl.
* subversion/svnserve/main.c
(main): Call sasl_init().
* subversion/svnserve/server.h
(server_baton_t): New typedef. Copied from serve.c.
(authn_type, access_type): New enums. Copied from serve.c.
(sasl_init, sasl_auth_request): New declarations.
]]]
--
Vlad
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Jul 10 15:44:23 2006