[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnserve SASL documentation?

From: Vlad Georgescu <vgeorgescu_at_gmail.com>
Date: 2007-04-10 23:23:50 CEST

Eric Gillespie wrote:
> "Vlad Georgescu" <vgeorgescu@gmail.com> writes:
>
>> On 4/10/07, David Anderson <dave@natulte.net> wrote:
>>> On 4/10/07, Eric Gillespie <epg@pretzelnet.org> wrote:
>>>> Can someone who worked on adding SASL support to svnserve update
>>>> the man pages to explain how to use it? The comments in the
>>>> svnserve.conf in a new repository are less than helpful:
>>> I didn't do anything with SASL other than follow the development, but
>>> my understanding is that most of the actual configuration takes place
>>> in /etc/sasl, where Cyrus SASL stores one config file per server with
>>> SASL support. The values in svnserve.conf just specify "Yes, ask Cyrus
>>> to handle SASL", and the min/max encryption values will act as a
>>> filter to Cyrus SASL as it tries to decide what authentication
>>> mechanism it should use, if it has a choice between several.
>>>
>>> For the rest, we need a sample /etc/sasl/subversion.conf. If my
>>> explanation was correct, that is.
>> That sounds about right. To clarify, the place where SASL looks for
>> its configuration files is distro-dependent, it might be /etc/sasl,
>> but it's usually /usr/lib/sasl2.
>
> What does a sample subversion.conf look like? After poking
> around in the html pages that came with cyrus sasl, i created
> /usr/lib/sasl2/subversion.conf (i had to find where to put it
> with strace, but i understand now that's a distro problem, sigh)
> with just this line:
>
> pwcheck_method: saslauthd
>
> saslauthd seems to be running, and i restarted svnserve (and
> strace shows that it's reading my subversion.conf), but in
> /var/log/auth.log i see it's still trying to read /etc/sasldb2 .
>

saslauthd expects plaintext passwords, which means the passwords must
travel over the wire in plaintext. This would be only be OK if we
supported SSL, which we currently don't, so plaintext mechanisms are
currently disabled. I could enable them again, if people think that's a
good idea. 

-- 
Vlad
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Apr 10 23:24:11 2007

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.