[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnserve and sasl cross-realm (was: svnserve and ldap status ?)

From: Alec Kloss <alec.kloss_at_oracle.com>
Date: 4 May 2010 10:38:00 -0500

On 2010-05-04 16:22, Stefan Sperling wrote:
> On Tue, Mar 23, 2010 at 10:16:25PM +0100, Stefan Sperling wrote:
> > On Tue, Mar 23, 2010 at 03:58:50PM -0500, Alec Kloss wrote:
> > > Now please see attached.
> >
> > Thanks. I'll try to look at this soon.
> >
> > I've also downloaded a couple of related RFCs (e.g. RFC4422) for reference,
> > as well as cyrus-sasl source code -- the binaries are already installed cause
> > sendmail uses them, but I've never used SASL for anything other than smtp
> > auth with sendmail, and that is pretty simple to set up.
>
> I've given this a look today.
>
> The SASL documentation mentions that cross-realm support depends on
> the application, so your approach at solving the problem in Subversion
> is correct.
>
> What worries me is that your patch to the SASL gssapi module is needed
> to make use of cross-realm authentication with Kerberos.
> It seems the SASL developers have not responded to your patch (at least
> they did not respond publicly):
> http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=9372
> Do you have an idea about whether the patch will be applied to SASL?
>
> Is there any useful purpose for cross-realm authentication without
> using Kerberos? If so, can you suggest a way for me to test this
> without patching SASL? If not, I'd rather wait for your gssapi patch
> to be included in SASL before adding support for this to Subversion.
> We can't require all users to patch SASL...
>
> (The gssapi patch in the script you attached is reversed, BTW.)

Thanks for taking time to look.

The GSSAPI patch to SASL is to work around issues with canonicalization
of hostnames. It's only required for my test script to work; it is
possible to make GSSAPI cross-realm work without it but requires either
careful DNS configuration (ie. the dns name the client uses to access
subversion must match what gethostname(2) returns on the machine running
the Subversion server) or a bit of configuration to get the KDC to
produce a "referral" for the correct name. As I recall, KDC referrals
were added to heimdal in 1.3 (but only for the hdb datastore, not the
ldap datastore).

Generally speaking, even though Cyrus SASL hasn't uptaken the idea of
using GSS_C_NO_NAME or a configurable service host name, the heimdal
folks at least think something along those lines is a good idea. Sadly,
I haven't seen much sign of life from Cyrus SASL lately.

I'm happy to help try to set up a configuration that will demonstrate
the issue without patching Cyrus SASL. It'll just require a "real"
Kerberos realm to do it.

-- 
Alec.Kloss_at_oracle.com			Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xEBD1FF14

  • application/pgp-signature attachment: stored
Received on 2010-05-04 17:38:34 CEST

This is an archived mail posted to the Subversion Dev mailing list.