Re: "Windows Authentication" Was: "Credentials Caching - Security Guy Not Happy" from users list

On Thu, 2004-08-26 at 14:04, Steve Dwire wrote:
> [cross-posting to dev]

I've taken this back to the users list, because I don't think we're
really at the point of proposing a change to Subversion.

> With SQL Server and the Query Analyzer client, I can log on using
> “Windows Authentication”, and the server somehow magically accepts the
> credentials I used to log in to the system. I don’t have to re-type my
> domain logon and password, and it’s not cached anywhere. IIS and
> Internet Explorer have some means of exchanging those credentials as
> well – if everything’s configured “properly.”

This is most likely done using Kerberos, if I understand correctly. If
I'm right, then your local machine caches a credentials file which is
valid for a limited amount of time, and does not contain your password.

There exists a standard for performing Kerberos authentication over
HTTP, and it's implemented by an Apache httpd module as well as some web
browsers (IE, Mozilla). But neon, our HTTP client library, doesn't
implement it currently. So one option would be to look into
implementing this in neon.

There are also vague plans to add Kerberos authentication support (among
other forms of authentication) to svnserve, using a SASL
implementation. But they've been stalled for a while.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Aug 26 20:17:53 2004