[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: On backporting r21531 to 1.4.x.

From: Samay <getafix123_at_hotmail.com>
Date: 2006-10-16 01:07:44 CEST

Hello Vladimir,

this is from a 'user' perspective. Below is a reference to how Mozilla
Firefox addresses / facilitates SSPI/SPNego/ authentication methods.

http://www.mozilla.org/projects/netlib/integrated-auth.html

they have a rather simple configuration method. user configures list of
'servers' where Negotiate authentication should be used. They also provide
Proxy support.

as regards SSPI issues?
a) SVN 1.4.x compiled against 0.26.1 Neon doesnt work with SPNego on both
win32 & linux environment. However, it works fine with 0.25.5 Neon. May be
its how SVN is making use of 0.26.1 changes that is the issue here, beyond
my skill set. I am trying to learn though.
b) please refer to http://svn.haxx.se/users/archive-2006-09/1336.shtml ...
not sure if this is happening due to Neon or Mod_auth_kerb .. however
mentioned here for ur reference.

> 1) Ability to disable default credential being passed.

please see Mozilla link above, the configuration layout, provides that. In
case of Negotiate, 'only' default credential, in form of Kerb token, are
provided.

> 2) Ability to pass alternate credentials but still use SSPI

        I doubt if its gonna be possible in case support is Negotiate/GSSAPI
only. Usually this is provided by external helpers such as 'runas', 'sudo',
'kinit', etc.

> 3) Ignore SSPI challenge all together
> 4) Ability to have separate proxy, server credentials???

e.g., open Pref.js in ur Firefox profile (or go to URL about:config) and
search for Auth :) I would have posted a link to google.com/codesearch page
for that, however, not sure what policies we have regarding quoting external
code.

> 5) Issue with GUEST credentials being used

regards

Samay

----- Original Message -----
From: "Vladimir Berezniker" <vmpn@hitechman.com>
To: "Mark Phippard" <markp@softlanding.com>
Cc: "C. Michael Pilato" <cmpilato@collab.net>; <dev@subversion.tigris.org>;
"Stefan Küng" <tortoisesvn@gmail.com>
Sent: Friday, October 13, 2006 12:14 AM
Subject: Re: On backporting r21531 to 1.4.x.

Resending this as original did not seem to reach the list.

> "C. Michael Pilato" <cmpilato@collab.net> wrote on 10/09/2006 04:01:28 PM:
>
>> Uh. Hm. Can you perhaps rephrase this bit, then? I obviously missed
>> it the first time around.
>>
>> (that's also why I think the current (trunk) behavior of Subversion
>> should be improved: avoid the option in the configuration file but
>> after the first authorization failure and reauthenticate again but
>> this time with SSPI disabled).
>
> I think the only issue should be whether the current way this works is
> deemed a bug with a high enough severity to backport to an existing
> release. I happen to think it is.
>
> Once that is agreed to, then whatever the best solution is, regardless as
> to whether it involves adding a new config option, should be used. Having
> a client authenticate, fail authorization and then reauthenticate does not
> strike me as an ideal solution. Won't this happen over and over again?
> Having an option to just turn the feature off seems better to me and I do
> not see what negative impact this has on existing 1.4 users.
>
> Mark
>
>
Hello everyone,

I am the guy who originally contributed the SSPI support to neon, and I
would like to get it working right for majority of the users.

A possible plan of attack would be:
    * Clearly define what SSPI issues are
    * Agree if there are neon API changes needed. Driven by users such as
Subversion/TSVN
    * Clear those changes with Joe Orton (if any)
    * Implement, test, repeat...

The SSPI issues as I understood so far are:

    1) Ability to disable default credential being passed.
    2) Ability to pass alternate credentials but still use SSPI
    3) Ignore SSPI challenge all together
    4) Ability to have separate proxy, server credentials???
    5) Issue with GUEST credentials being used

Please let me know if I missed anything.

I have a good idea about how to deal with the first four (4). I need to
research the GUEST issue, so any relevant info will be appreciated.

At a first glance, it seems the current flag in neon can only solve #3,
but I need to check the code to be sure.

For the Subversion/TSVN team,

What kind of API in neon would make it cleanest for you to work with SSPI?

Regards,

Vladimir

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Oct 16 01:08:01 2006

This is an archived mail posted to the Subversion Dev mailing list.