[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Can anyone help? Server was not authenticated correctly

From: Michael Zhou <zhouyuehong_at_21cn.com>
Date: 2007-08-10 09:24:51 CEST

hi Joe,

I really appreciate for your help.

This morning I tested the svn server according to your suggestions.

1. Turn off all anonymous access and see if the problem goes away; if not, revert.

I commented out the "Satisfy Any" to disable the anonymous access, and
the problem is still there

2. Turn off all anonymous access, strip down the svn access file to the bare
   bones and see if the problem goes away; if not revert.

I cleaned up the access file to allow only me to access. The problem
seems gone. But I'm not sure whether it is the real reason. Because
nobody but I can access the server, so maybe the situation is differenct
than normal case.

When I restored the access file, the problem's back.

I then changed the httpd.conf to use Basic auth instead of Digest auth,
and re-enabled the anonymous access because we need it. Configuration
is like this:

    <Location /repos>
        DAV svn
        SVNParentPath /home/svnadmin/repos
        SVNIndexXSLT http://svn.myhost.com/style.xsl

        AuthzSVNAccessFile /home/svnadmin/repos_access/access

        Satisfy Any
        Require valid-user

        #AuthType Digest
        #AuthName "subversion repository"
        #AuthDigestProvider file
        #AuthUserFile /home/svnadmin/repos_access/passwd

        AuthType Basic
        AuthName "subversion repository"
        AuthBasicProvider file
        AuthUserFile /home/svnadmin/repos_access/passwd_basic
    </Location>

After doing that, I restarted the apache server, and the problem seems
gone.

So I think Apache's mod_auth_digest caused this problem.

Use basic digest is ok to us except for its security risk. Maybe I
should consider ssl. But I still hope the digest auth can work for us
in future.

Thanks again.

> 3. Turn off all anonymous access, strip down the svn access file to the bare
> bones, remove all users but yourself from the svn access and password files,
> give yourself rw access to the entire repository and see if the problem goes
> away; if not revert.

> Hi Michael,
>
> Firstly, I'm not an expert on Digest Access Authentication - we use
> Certificates+SSL.
>
> However, here are some thoughts:
>
> For some reason, on presentation of your credentials the server is
> generating a digest response using a password that is not yours (the other
> ingredients going into this digest are very unlikely to change).
>
> Given that an md5 generator does not "just" decide to occasionally generate
> incorrect digests, you are left with the following possibilities (that I can
> see) in order of likelihood:
>
> 1. The password file is broken
> 2. The svn access file is broken
> 3. You are using some kind of load-balanced/failover apache front-end
> solution and there are multiple password files - which don't match
> 4. There is some kind of proxy server that's mangling the character set
>
> Here are some observations and questions to consider:
>
> 1. The problem is intermittent
> - what's your estimate regarding the frequency of success:failure
> ratio?
> - is there a pattern relating to where in the repository tree you
> are operating?
> - if you do nothing else but checkout->update->checkin/commit the
> same file repeatedly will you see the issue appear?
>
> 2. The cnonce (your hashed password) is the same in all the examples you
> give but so is the nonce_count - and that (hopefully) means you have cutting
> and pasting the same example in your emails (?).
> - can you look in your logs and check that the cnonce digest string
> is the same for both successful and failed access authentication
> negotiations?
> - can you check rspauth as well - it should be the same for all
> successful negotiations - and if you are lucky, the same for all
> unsuccessful negotiations.
>
>
> Here are some suggestions:
>
> 1. Turn off all anonymous access and see if the problem goes away; if not,
> revert.
> 2. Turn off all anonymous access, strip down the svn access file to the bare
> bones and see if the problem goes away; if not revert.
> 3. Turn off all anonymous access, strip down the svn access file to the bare
> bones, remove all users but yourself from the svn access and password files,
> give yourself rw access to the entire repository and see if the problem goes
> away; if not revert.
>
>
> Hope this helps
>
>
> Regards,
>
> Joe
>
>
> -----Original Message-----
> From: Michael Zhou [mailto:zhouyuehong@21cn.com]
> Sent: 9. august 2007 03:43
> To: Joe H-Grosse; users@subversion.tigris.org
> Subject: Re: Can anyone help? Server was not authenticated correctly
>
> Hi, Joe,
>
> Thanks for your reply.
>
> According to your suggestion, I re-ordered the svn directives in
> httpd.conf (list below), and the problem is still there.
>
> <Location /repos>
> DAV svn
> SVNParentPath /home/svnadmin/repos
> SVNIndexXSLT http://svn.myhost.com/style.xsl
>
> AuthzSVNAccessFile /home/svnadmin/repos_access/access
>
> Satisfy Any
> Require valid-user
>
> AuthType Digest
> AuthName "subversion repository"
> AuthDigestProvider file
> AuthUserFile /home/svnadmin/repos_access/passwd
> </Location>
>
> The apache error_log didn't show any problem, and the access_log shows
> all requests are succeeded (GET request returned 200, and PROPFIND
> request returned 207)
>
> So I guess the server works fine. It seems some MD5 digest doesn't
> match. I wonder what it is.
>
> Here list the neon debug log:
>
> ah_post_send (#0), code is 207 (want 401), WWW-Authenticate is (none)
> Auth-Info header:
> rspauth="b96e9e2643a40426e466d58b49fc4378",cnonce="8bcb2a16679f26796ea8ac8b8
> 357cd6b", nc=000001df, qop=auth
> Pair: [rspauth] = [b96e9e2643a40426e466d58b49fc4378]
> Pair: [cnonce] = [8bcb2a16679f26796ea8ac8b8357cd6b]
> Pair: [nc] = [000001df]
> Got nonce_count: 479
> Pair: [qop] = [auth]
> Calculating response-digest.
> Digesting qop-value [auth:].
> Calculated response-digest of: [ae162836b87c6f62297c0df454b3792a]
> Given response-digest of: [b96e9e2643a40426e466d58b49fc4378]
> Matched: nope
> Response authentication invalid.
> svn: PROPFIND request failed on
> '/repos/.../!svn/bc/11875/.../branches/20070731_....java'
> svn: PROPFIND of '/repos/.../!svn/bc/11875/.../branches/20070731_....java':
> Server was not authenticated correctly. (http://svn.myhost.com)
>
> >
> > Hi,
> >
> > What do your apaches logs tell you?
> >
> > I also note you have "Satisfy Any" enabled at the end of the Location
> block
> > as well as "Require valid-user" prior to it.
> > If you are not allowing anonymous access - then you should be able to
> > comment "Satisfy Any" out?
> > If you are - then in the manual (page 116 - Example 6.3) Satisfy Any" is
> > defined prior to "Require valid-user".
> >
> > The accompanying text to the example could indicate that there is an
> > overloading order that is assumed by subversion when using these
> directives
> > together.
> > You might try re-ordering the definitions and seeing if that clears things
> > up.
> >
> > If not then the issue may be in the definitions in the AuthzSVNAccessFile
> > and their ordering.
> >
> > Regards,
> >
> > Joe
> > -----Original Message-----
> > From: Michael Zhou [mailto:zhouyuehong@21cn.com]
> > Sent: 8. august 2007 09:56
> > To: users@subversion.tigris.org
> > Subject: Re: Can anyone help? Server was not authenticated correctly
> >
> > I don't change any svn client configurations at all.
> >
> > Below is my server's configuration. Most times it works fine:
> >
> > <Location /repos>
> > AuthType Digest
> > AuthName "subversion repository"
> > AuthDigestProvider file
> > AuthUserFile /home/svnadmin/repos_access/passwd
> >
> > Require valid-user
> >
> > DAV svn
> > SVNParentPath /home/svnadmin/repos
> > SVNIndexXSLT http://svn.myhost.com/style.xsl
> > AuthzSVNAccessFile /home/svnadmin/repos_access/access
> >
> > Satisfy Any
> > </Location>
> >
> > > Please paste your config here,
> > > or post a message to <http://www.iusesvn.com/bbs>www.iusesvn.com/bbs.
> > >
> > > On 8/8/07, Michael Zhou <<mailto:zhouyuehong@21cn.com>
> > zhouyuehong@21cn.com> wrote:
> > > > I posted this message 2 days ago, but no one replies me.
> > > >
> > > > In Subversion for windows, the error message is different than it is
> in
> > > > Linux: Digest mutual authentication failure: request-digest mismatch
> > > >
> > > > ----------------------- Original Message -----------------------
> > > > From: Michael Zhou <zhouyuehong@21cn.com>
> > > > To: users@subversion.tigris.org
> > > > Date: Mon, 06 Aug 2007 14:22:34 +0800
> > > > Subject: Server was not authenticated correctly
> > > > ----
> > > >
> > > > Dear all,
> > > >
> > > > I have a problem: my svn client randomly reports "Server was not
> > > > authenticated correctly" error. Most times it works fine, and
> > > > occasionally it exits with an error.
> > > >
> > > > Below is my environment information:
> > > >
> > > > Server-side:
> > > >
> > > > * RH Linux AS,
> > > > * SVN 1.4.4 with Apache 2.2.4,
> > > > * http protocol, authenticated with MD5 digest,
> > > > * repository type is fsfs.
> > > >
> > > > Client-side:
> > > >
> > > > * RH Linux | Windows
> > > > * SVN 1.4.4,
> > > > * neon 0.25.5
> > > >
> > > > I just opened the debug option of neon as metioned in the archived
> > > > mailing list.
> > > >
> > > > vi ~/.subversion/servers
> > > >
> > > > [global]
> > > > neon-debug-mask = 9
> > > >
> > > > Here is what neon prints on stderr:
> > > >
> > > > $ svn merge -r 11875:HEAD
> > http://svn.myhost.com/repos/.../branches/20070731_.../ .
> > > >
> > > > ...
> > > > ...
> > > >
> > > > ah_post_send (#0), code is 207 (want 401), WWW-Authenticate is (none)
> > > > Auth-Info header: rspauth="c9c7d7643a6db0006e66c358b4e313a7",
> > cnonce="8bcb2a16679f26796ea8ac8b8357cd6b", nc=000001de, qop=auth
> > > > Pair: [rspauth] = [c9c7d7643a6db0006e66c358b4e313a7]
> > > > Pair: [cnonce] = [8bcb2a16679f26796ea8ac8b8357cd6b]
> > > > Pair: [nc] = [000001de]
> > > > Got nonce_count: 478
> > > > Pair: [qop] = [auth]
> > > > Calculating response-digest.
> > > > Digesting qop-value [auth:].
> > > > Calculated response-digest of: [c9c7d7643a6db0006e66c358b4e313a7]
> > > > Given response-digest of: [c9c7d7643a6db0006e66c358b4e313a7]
> > > > Matched: YES!
> > > > ah_create, for WWW-Authenticate
> > > > Handling auth session.
> > > > Nonce count is 479, nc is [000001df]
> > > > H(A2): 61de4dcc5a3ecaeaad7cc852c10ea12e
> > > > Calculating Request-Digest.
> > > > Have qop directive, digesting:
> > [000001df:8bcb2a16679f26796ea8ac8b8357cd6b:auth]
> > > > Digest request header is Digest username="fanziwen",
> realm="subversion
> > repository", nonce="BW3AzwA3BAA=a3a4e2fc6bcddc1a8d4771a052e6806a9a762de8",
> > uri="/repos/.../!svn/bc/11875/.../branches/20070731_....java",
> > > > response="407b46bacdf2a7745bd67915dc606f1f", algorithm="MD5",
> > > > cnonce="8bcb2a16679f26796ea8ac8b8357cd6b", nc=000001df, qop="auth"
> > > >
> > > > ah_post_send (#0), code is 207 (want 401), WWW-Authenticate is (none)
> > > > Auth-Info header: rspauth="b96e9e2643a40426e466d58b49fc4378",
> > cnonce="8bcb2a16679f26796ea8ac8b8357cd6b", nc=000001df, qop=auth
> > > > Pair: [rspauth] = [b96e9e2643a40426e466d58b49fc4378]
> > > > Pair: [cnonce] = [8bcb2a16679f26796ea8ac8b8357cd6b]
> > > > Pair: [nc] = [000001df]
> > > > Got nonce_count: 479
> > > > Pair: [qop] = [auth]
> > > > Calculating response-digest.
> > > > Digesting qop-value [auth:].
> > > > Calculated response-digest of: [ae162836b87c6f62297c0df454b3792a]
> > > > Given response-digest of: [b96e9e2643a40426e466d58b49fc4378]
> > > > Matched: nope
> > > > Response authentication invalid.
> > > > svn: PROPFIND request failed on
> > '/repos/.../!svn/bc/11875/.../branches/20070731_....java'
> > > > svn: PROPFIND of
> > '/repos/.../!svn/bc/11875/.../branches/20070731_....java':
> > > > Server was not authenticated correctly. (http://svn.myhost.com)
> > > > Closing connection.
> > > > Connection closed.
> > > > Closing connection.
> > > > Connection closed.
> > > > Closing connection.
> > > > Connection closed.
> > > >
> > > > Thanks in advance.
> > > >
> > > > --
> > > > Michael Zhou <zhouyuehong@21cn.com>
> > > >
> > > > --------------------- Original Message Ends --------------------
> > > >
> > > > --
> > > > Michael Zhou < zhouyuehong@21cn.com>
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail:
> <mailto:users-unsubscribe@subversion.tigris.org>
> > users-unsubscribe@subversion.tigris.org
> > > > For additional commands, e-mail: users-help@subversion.tigris.org
> > > >
> > >
> > >
> > >
> > >
> > > --
> > > http://www.iUseSVN.com (Chinese SVN Forum)
> >
> > --
> > Michael Zhou <zhouyuehong@21cn.com>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> > For additional commands, e-mail: users-help@subversion.tigris.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> > For additional commands, e-mail: users-help@subversion.tigris.org
> >
>
> --
> Michael Zhou <zhouyuehong@21cn.com>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>

-- 
Michael Zhou <zhouyuehong@21cn.com>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Aug 10 09:23:24 2007

This is an archived mail posted to the Subversion Users mailing list.