[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Subversion 1.5 SASL doesn't work correctly with Kerberos cross-realm authentication

From: Alec Kloss <Alec.Kloss_at_oracle.com>
Date: Tue, 12 Aug 2008 14:00:13 -0500

First off, Subversion's code is lovely to read.

The subject pretty much says it all. The SASL support in
Subversion 1.5 blindly removes realm specifiers from the user's

There's a seatbelt early in cyrus_auth.c which protects against
security problems associated with removing the realm as described
by this comment:

      /* The only valid realm is user_realm (i.e. the repository's realm).
             If the user gave us another realm, complain. */

Later, at the end of cyrus_auth_request() the realm is yanked off
of the authenticated user, which creates the potential security
issue that the seatbelt in cyrus_auth.c is protecting against:

      if ((p = strchr(user, '@')) != NULL)
        /* Drop the realm part. */
        b->user = apr_pstrndup(b->pool, user, p - (char *)user);

I guess I'd propose changing the default behavior to allow
cross-realm and strip the realm part off in cyrus_auth_request()
if-and-only-if it matches the configured "user_realm". I'd like to
see a flag to disable the stripping of the realm entirely, as
people with lots of cross-realm will almost certainly prefer that.

(And while I'm commenting, has no one looked into logging in
svnserve since 2005? It's kinda a big thing to be missing, at
least among the paranoid.)

Oracle Confidential Information        
Alec.Kloss_at_oracle.com			Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956

  • application/pgp-signature attachment: stored
Received on 2008-08-12 21:00:43 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.