[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Can svnserve read an encrypted password file?

From: Grigory V. Kareev <gkareev_at_parallels.com>
Date: Fri, 29 Aug 2008 10:21:23 +0700

On Thu, 28 Aug 2008 16:35:25 -0500
Alec Kloss <alec.kloss_at_oracle.com> wrote:

> > Also, wouldn't svnserve+sasl be able to solve the complaint of having
> > plain text passwords stored on the server side?
> Pretty much only if you're using (my favorite) gssapi with sasl.
> Just about everything else in sasl requires either clear-text
> transmission of the password or clear-text storage of the password
> on the server. It's probably still slightly better to use sasl
> because the authentication is normally offloaded to a specialized
> authentication server so there's sort-of less to audit.

If you host only one repo using svnserve, then sasl+ldap
thing will work too. You need to setup sasl to provide only DIGEST-MD5
auth method in svnserve and setup your ldap users properly keeping
in mind.

If you want to host multiple repositories using one svnserve process,
cleartext passwords stored either in ldap, sasldb or svnserve db
is the only option currently, IMO.

Possible solutions are:
a) TLS support for svn client and svnserve (in this case we can use
    sasl cleartext password transmitting auth methods like PLAIN or LOGIN
    and svnserve will be able to do checks against any encrypted passwords db)
b) alter svnserve internal CRAM-MD5 auth method and make it work with
    stored passwords hashes as described here:
c) add svnserve config or command line option to disable internal CRAM-MD5 mech
    and let the sasl do all checks

Grigory Kareev
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-08-29 05:21:44 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.