[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Moving away from plain-text passwords in the server-side passwd file

From: Mark Phippard <markphip_at_gmail.com>
Date: Wed, 21 May 2008 12:40:53 -0400

On Wed, May 21, 2008 at 12:12 PM, Eric Gillespie <epg_at_pretzelnet.org> wrote:
> "Mark Phippard" <markphip_at_gmail.com> writes:
>
>> The reality is that you do not have to spend very long really trying
>> to use Cyrus SASL to see that it is pretty half-assed. In particular
>> its support for Windows is virtually non-existent.
>
> The former does not follow from the latter.

I was using Windows as an easy example and I do think it is pretty
significant. The documentation is poor overall and it is not clear
what pieces are fully implemented and how you use them. Especially
across platforms.

>> So while I think we have done the right thing in not inventing our own
>> security, I am not sure that SASL is really the answer either.
>
> And what is?
>
> Cyrus SASL is a good answer, and those who seek Windows support
> should step up and provide it. From what I've seen poking inside
> Cyrus SASL, it's not heinously Unix-specific; I think it just
> lacks testing and maintenance on Windows.

I agree with this. I am simply saying that we have led users to
believe that this is the answer for all svnserve authentication
options. I think it is probably our only hope but it is clear that
Cyrus SASL needs work. It is also not at all clear to me how you
could build support for Windows authentication using the auth
mechanisms we support. It would be doable to write code that
validates a username and password received from a client, but for this
to work those have to be sent in the clear over the network. Those
options are turned off in Subversion. Our docs say it is because we
do not use TLS. If the server does not know the plaintext password
for a user then you cannot use CRAM-MD5 or DIGEST-MD5 auth mechanisms.
 I am not sure if Kerberos could be used or not, but that is another
area where Windows support is weak.

I am basically saying we need to be clear what you can actually do
with SASL today.

-- 
Thanks
Mark Phippard
http://markphip.blogspot.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-05-21 18:41:06 CEST

This is an archived mail posted to the Subversion Dev mailing list.