Hi,
This is a fix for a problem originally described here:
http://svn.haxx.se/dev/archive-2006-09/0994.shtml
Specifically, if GSSAPI is part of the list of mechanisms sent by the
server, the client will always choose it over the others (because it's
the most secure) even if it isn't really prepared to use it (e.g.
because there are no Kerberos credentials). Thus authentication will
always fail. The correct behavior would be to retry authentication
with the next best mechanism, which is what this patch does.
The patch isn't specific to GSSAPI, but AFAIK only GSSAPI exhibits the
problem that this patch is trying to fix.
[[[
If a SASL mechanism fails sufficiently early (i.e. before the client
sends the initial response), don't automatically fail the
authentication. Instead, fall back to the next best mechanism sent by
the server.
* subversion/libsvn_ra_svn/sasl_auth.c
(try_auth): If sasl_client_start() fails with a non-fatal error message,
delete the current mechanism from the list and try again.
]]]
--
Vlad
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Oct 11 12:59:18 2006