On Thu, 28 Aug 2008 16:35:25 -0500
Alec Kloss <alec.kloss_at_oracle.com> wrote:
[skip]
> > Also, wouldn't svnserve+sasl be able to solve the complaint of having
> > plain text passwords stored on the server side?
>
> Pretty much only if you're using (my favorite) gssapi with sasl.
> Just about everything else in sasl requires either clear-text
> transmission of the password or clear-text storage of the password
> on the server. It's probably still slightly better to use sasl
> because the authentication is normally offloaded to a specialized
> authentication server so there's sort-of less to audit.
If you host only one repo using svnserve, then sasl+ldap
thing will work too. You need to setup sasl to provide only DIGEST-MD5
auth method in svnserve and setup your ldap users properly keeping
http://southbrain.com/south/2008/08/cmusaslsecretcrammd5-cmusaslse.html
in mind.
If you want to host multiple repositories using one svnserve process,
cleartext passwords stored either in ldap, sasldb or svnserve db
is the only option currently, IMO.
Possible solutions are:
a) TLS support for svn client and svnserve (in this case we can use
sasl cleartext password transmitting auth methods like PLAIN or LOGIN
and svnserve will be able to do checks against any encrypted passwords db)
b) alter svnserve internal CRAM-MD5 auth method and make it work with
stored passwords hashes as described here:
http://southbrain.com/south/2008/08/cmusaslsecretcrammd5-cmusaslse.html
c) add svnserve config or command line option to disable internal CRAM-MD5 mech
and let the sasl do all checks
--
Grigory Kareev
Parallels
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-08-29 05:21:44 CEST