[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Client authentication with Kerberos ticket

From: D.J. Heap <djheap_at_gmail.com>
Date: 2006-12-20 17:15:37 CET

On 12/20/06, Yves Martin <yves.martin@elca.ch> wrote:
[snip]
> The answer is yes (if SSL) but no (if not SSL) !
>
> Reading the code neon/src/ne_auth.c (around line 1050),
> the SSPI/Negotiate or SSPI/NTLM or Digest
> or Basic methods are tried whatever the http/https mode.
>
> BUT the GSSAPI/Negotiate is only tried with SSL ?
> Why ? Is GSSAPI over http less secure than Basic over http ?
>

I'm not an auth expert, but my understanding is that they are not
really secure over http. Why BASIC is allowed and the others are not
is because (I think) everyone knows that BASIC isn't secure, but the
others imply safety where there really isn't any.

In any case, the next major release of Subversion will include a
config option to turn them on over http if you really want to.

DJ

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Dec 20 17:59:28 2006

This is an archived mail posted to the Subversion Users mailing list.