[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: sasl mechanisms order

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Mon, 26 Jul 2010 09:30:55 +0300

CC += dev@

Victor Sudakov wrote on Mon, Jul 26, 2010 at 12:53:44 +0700:
> Daniel Shahaf wrote:
> > >
> > > I have the following line in /usr/local/lib/sasl2/svn.conf:
> > > mech_list: gssapi digest-md5 anonymous
> > >
> > > How can I guarantee that the subversion client/server will always use
> > > GSSAPI before DIGEST-MD5? Or a more generic question, how can I change
> > > the order of mechanisms if I have to?
> > >
> >
> > Looking at subversion/libsvn_ra_svn/{client.c,cyrus_auth.c}, it seems that the
> > following order is used:
> >
> > * EXTERNAL (i.e., ssh tunnel)
> > * ANONYMOUS
> > * ${server-reported mechanisms, in the order suggested by the server}
> > * CRAM-MD5 (used via internal_auth.c even if SASL doesn't support it)
> >
> > I don't see a knob that lets you manipulate the order.
>
> Then how can I manipulate "the order suggested by the server"? The
> server is svnserve.
>

Looking in subversion/svnserve/cyrus_auth.c, the list of mechansms is obtained
directly from SASL:

    [[[
    /* Get the list of mechanisms. */
    result = sasl_listmech(sasl_ctx, NULL, NULL, " ", NULL,
                           &mechlist, NULL, &mech_count);

    if (result != SASL_OK)
      return fail_cmd(conn, pool, sasl_ctx);

    if (mech_count == 0)
      {
        svn_error_t *err = svn_error_create(SVN_ERR_RA_NOT_AUTHORIZED, NULL,
                                            _("Could not obtain the list"
                                            " of SASL mechanisms"));
        SVN_ERR(write_failure(conn, pool, &err));
        return svn_ra_svn_flush(conn, pool);
      }

    /* Send the list of mechanisms and the realm to the client. */
    SVN_ERR(svn_ra_svn_write_cmd_response(conn, pool, "(w)c",
                                          mechlist, b->realm));
    ]]]

so you'd have to look up in the SASL docs how to configure the ordering of
mechanisms. (I don't know offhand how to configure that.)

What bothers me, however, is why the svn_ra_svn_write_cmd_response() call
seems to write only the first mechanism to the client?
Received on 2010-07-26 08:32:39 CEST

This is an archived mail posted to the Subversion Dev mailing list.