[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion and SSPI

From: Stefan Kng <tortoisesvn_at_gmail.com>
Date: 2007-06-05 17:33:46 CEST

Adrian Wilkins wrote:
> On 04/06/07, Rich <rich.littlejohn@gmail.com> wrote:
>> Hi,
>> Sorry to contact you off-list but I saw your post on the TortoiseSVN
>> list entitled "Transparent SSPI Auth works in 7501, broken in 8645"
>> I'm not
>> a subscriber so I can't reply on list but I ran into exactly the same
>> issue
>> today. After digging around for quite a while I found that the HTTP
>> library
>> that that use in TortoiseSVN (Neon) has disabled SSPI Authentication for
>> non-SSL connections - see here
>> (http://mailman.webdav.org/pipermail/neon/2006-December/002334.html)
>> for details. I've found that enabling SSL on
>> the server has got rid of those annoying logon prompts again.
> That's a solution, but I don't fancy the tedium of getting all my
> users to change to https:// links or of setting up SSL on my apache
> install. It's an internal server and I really don't care too much
> about the insecure nature of NTLM over HTTP.

You're missing the point here.
NTLM requires SSL, if you like it or not. If you want automatic
negotiation (no username/pw prompt), then you need SSL - there's no way
around it.

SSPI means "Security Support Provider Interface". Notice the "Security"
in it.

> The trunk (1.5) has a new option for the servers file -
> http-auth-types , which allows you to control which auth types the
> Neon library uses on a per-server basis. That would be great for me
> but I can't really go to 1.5 yet because I'm working on projects that
> use 1.4 clients that have no 1.5 equivalent release yet. I had a look
> at the source and the devs have chosen not to backport this to the 1.4
> branch. The thread discussing this is
> http://svn.haxx.se/dev/archive-2006-10/0224.shtml - Joe Orton alludes
> to this in his post on the Neon list.

Choosing the auth types in 1.5 only means you can disabling some auth
mechanisms if you don't like/need them.

> On the whole, I'm not too bothered - my users are used to using their
> NTLM credentials over Basic. I have a feeling that some patch that IT
> Services have inflicted on us may have broken mod_sspi on the server
> anyway because TSVN build 7501 has stopped working for me. It's just
> that niggling little splinter in your mind when something doesn't
> work... :-)
> I don't know whether setting http-auth-types = negotiate will force
> the use of SSPI over plain HTTP though. It would be nice to find that
> out.

It can't. SSPI requires SSL.


   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest Interface to (Sub)Version Control
    /_/   \_\     http://tortoisesvn.net
To unsubscribe, e-mail: dev-unsubscribe@tortoisesvn.tigris.org
For additional commands, e-mail: dev-help@tortoisesvn.tigris.org
Received on Tue Jun 5 17:33:56 2007

This is an archived mail posted to the TortoiseSVN Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.