On Westhost, an Internet managed hosting provider, svnserve's internal
authentication never succeeded. Always, on the client computer, entering the
command, "svn checkout" with the protocol, "svn://" gave the message,
"Internal server error in authentication". The "strace" command helped
determine the cause: "/dev/random" was accessible only to the "root" user!
I will complain to Westhost, but others, similarly using managed hosting,
may benefit from this post. Below is an extract from irc.freenode.net's
#svn channel log of 2005-06-21:
[23:04] <gs-> Authentication by svnserve on RedHat 7.3 asks twice for a
spurious, blank (' ') user's password, then rejects the request (svn says
'Internal server error in authentication'). Svnserve is version 1.1.4
(r13838). Svnserve is on one host; svn is on another (both Windows ME and
Knoppix) communicating using svn:// . Svn first asks for, and I give it, a
user name in the file, passwd, that Svnserve looks in. Svn behaves the same
whatever username I enter.
[23:10] <sarnold> gs-: do you have any odd characters in the authentication
[23:10] <gs-> I wish I did, but I am editing using pico through Putty on the
RedHat remote host, and I don't think I do. I just copied it to the screen
using cat and it doesn't look so. How could I do a hex dump?
[23:12] <sarnold> gs-: od -x or hexdump -c are both useful, iirc
[23:14] <gs-> I am using the basic svnserve authentication. I just tried
three bad usernames with no such message. I dumped the hex and found no odd
characters in the authentication file.
[23:18] <sarnold> gs-: are line endings correct for the platform?
[23:18] <gs-> The platform is RedHat 7.3, and the line endings are \n.
However, the line endings I type dynamically in answer to svn's prompts are,
on Windows ME, \r carriage return x0d I suppose svn gives the right
thing, because my friend on Knoppix gets the same error accessing the RedHat
7.3 svnserve from Knoppix.
[23:22] <sarnold> gs-: yeah, i was ust curious that if the file was on
windows, that it shld have CRLF, but if it is onlinux, it should have ...
whichever single one linux shold have ;)
[23:23] <gs-> I can read without authentication; I would just like to
require myself and my friend to authenticate so we can keep track of who
made each commit. I have researched this twice-spurious request for the
password of the 'blank' user and found people complaining of it, but no
solutions. Is anybody running the new subversion, version 1.2 with the
basic, svnserve authentication? On Debian would be good for me, also.
[23:27] <sarnold> gs-: could you run apache2 and use mod_dav_svn? :)
[23:29] <gs-> sarnold, thanks, but I don't think I can on this managed
hosting service. (Linux/Unix uses "newline," which equals ASCII linefeed,
[23:30] <sarnold> gs-: I'm blessed that \n Does The Right Thing :) I can
just never remember if that is CR or LF :) hehe. bugger about that 7.3
[23:32] <gs-> sarnold, I think I read that Tigris refuses to respond to bugs
before version 1.2, yet 1.2 has lots of up-to-date libraries not on RedHat
7.3. I wish they would make the simple, svnserve authentication work so
people (I) can host on the web for my friend.
[23:33] <sarnold> gs-: have you straced or ltraced the svnserve process yet?
[23:34] <gs-> sarnold, that sounds nice to try; is strace done by using a
pre-compiled development version? I don't have a compilation environment.
[23:36] <sarnold> gs-: strace -o /tmp/svnadmin.out -p <pid of svnserve
[23:36] <gs-> sarnold, thanks, ltrace: what's the difference?
[23:37] <sarnold> gs-: strace reports systemcalls; ltrace reports some
library calls. They give different views into what happens inside a program
without having to go to a full-blown debugger like gdb or reading the source
[23:43] <gs-> sarnold, I got, ltrace command not found, but strace at last
said, "accept (3 <unfinished ...>".
[23:46] <sarnold> gs-: ok, cool, now on your client, connect. (accept() is
waiting for a tcp/ip connection)
[23:50] <gs-> sarnold, when I start the svn checkout command, svnserve
starts a child process. I suppose I should strace that one.
[23:50] <sarnold> gs-: nuts! :) oh well. you can use strace -Ff -o
/tmp/svnserve.out -p <pid of svnserv>
[23:55] <gs-> sarnold, svnserve gets permission denied trying to read
/dev/random. So do I when I try "head /dev/random" . Its owner is root.
[23:57] <sarnold> gs-: yuck, that's no good. sussman: why is svn using
/dev/random? why isn't /dev/urandom sufficient?
[23:57] <sussman> it's not svn doing it, it's apr. Tell apr to use
/dev/urandom instead by configuring it --with-devrandom=/dev/urandom . I
[23:58] <sarnold> sussman: oh, keen. thanks
[23:58] <gs-> sarnold, well, there is no world read access in its mode, just
user, I think: "crw----------" that was 7 dashes.
[23:58] <sussman> but... any user should be able to read /dev/random .
That's a general system service. your unix perms are wonky.
[23:58] <sarnold> gs-: sussman's right; file a bugreport with your ISP
[23:58] <sussman> the only time we tell people to rebuild apr to use
/dev/urandom is on buggy OSes, like freebsd 4.x. On those systems, reading
from /dev/random will sometimes block forever because the kernel is waiting
for 'quality entropy' to come in.
[23:59] <sarnold> sussman: headless linux might block for a very
inconvenient amount of time.
[00:00] <gs-> sussman and sarnold, thanks. BTW, "head /dev/urandom"
accessed and read okay. May I ask what APR is?
[00:01] <sarnold> gs-: apache portable runtime library. many nice
high-quality pre-debugged utility routines
[00:01] <sussman> it's the main portability library that both apache and
subversion depend on to run on different OSes
[00:02] <gs-> sussman, oh, good! perhaps I will upgrade it a little. Sarnold
and sussman, thank you both very truly and much. I really feel good, knowing
this sufficient cause, and also having learned strace. :-):-)
[00:05] <sussman> heh
[00:05] <sarnold> gs-: are you sure the /dev/random error is the cause of
[00:08] <gs-> sarnold, the strace was very informative, immediately after
attempting /dev/random access including the same error message I got on the
client, svn side, 'failure ( 39:Internal server e"..., 59) = 59'.
[00:08] <sarnold> gs-: oh, cool, that's nice and convincing :)
[00:09] <gs-> sarnold, actually, the matching text was just, "Internal
server e". The client side said, "Authentication error from server: Internal
server error in authentication."
[00:10] <sarnold> gs-: strace doesn't show you everything; check out the -s
[00:11] <gs-> sarnold, -s string size, thanks. I think I would like to try a
quick test on another Linux system and it may work easily for me. I don't
see forums very conveniently on the subversion.tigris site. I see the issue
tracker, but searching on "authentication" or "internal" gives no result.
At this point, I would like to find or add this issue. You know, to help
others. Is the Tigris bug-tracking system discouraging of people's (my)
doing that easily?
[00:18] <sarnold> gs-: maye a note to the users@ mail list
[00:19] <gs-> sarnold, if that is best, I will collect lines from this log
and post to that mailing list. Is the issues forum not as used?
[00:20] <sussman> the mailing list is the first-line 'filter' for
bugtracker. If the developers on the mailing list say it's a real bug, then
they'll ask you to file it, but always report to list first.
[00:21] <gs-> sussman, okay, thanks.
To unsubscribe, e-mail: firstname.lastname@example.org
For additional commands, e-mail: email@example.com
Received on Thu Jun 23 03:36:03 2005