[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: TSVN does not support NTLM authentication

From: Adrian Wilkins <adrian.wilkins_at_gmail.com>
Date: 2007-12-06 20:43:12 CET

Stefan Küng wrote:
> Wyss Clemens (Helbling Technik) wrote:
>
>>> neon 0.26 has sspi authentication disabled
>>> for http connections. You must use https to
>>> get sspi authentication.
>>>
>> why?
>>
>
> For security reasons: NTLM is not secure over http.
>
>
>> Any plans to "relax" this dependency again?
>>
>
> I don't think the neon devs will ever do that.
>
> Stefan
>
>
On the other hand, it would appear to be very small patch to the neon
source to "(un) fix" it. Maybe a bit more if you wanted to be able to
configure it. For the typical use for NTLM auth, which is over a windows
LAN, I don't think it's such a huge thing ; people will more than likely
instead just be typing their network password into the auth box, which
then sends it across the network via Basic auth! I know this is the way
I have mine configured (yes, yes, I should be using SSL). If you want,
you could always build it yourself (it's not hard to figure out which
code to change). I did find a post...

http://osdir.com/ml/web.webdav.neon.general/2006-12/msg00039.html

.. which suggests you can override this behaviour through the API (at
the 0.26 level anyway).

This seems to have gone into the SVN sources at r21531, so it's
supported in 1.4.2 clients upwards. It looks as simple as editing your
servers file, creating a group for servers which you use SSPI for, and
adding the appropriate http-auth-types = basic;digest;negotiate to the
config.

I confess though, I've yet to get this to work. mod_sspi works fine at
authenticating the user against the domain, using their domain password,
but I can't get it to work seamlessly ; so I have to resort to using the
"Basic" passthrough feature. (SSPIOfferBasic On). Which means passwords
in plaintext.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tortoisesvn.tigris.org
For additional commands, e-mail: dev-help@tortoisesvn.tigris.org
Received on Thu Dec 6 20:43:24 2007

This is an archived mail posted to the TortoiseSVN Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.