[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: --username and --password ignored with NTLM authentication?

From: Poonam Ahuja <poonam.ahuja_at_dkib.com>
Date: Wed, 5 Aug 2009 14:21:33 +0100

Yes, the subversion book states that username passed as --username takes
precedence over the username stored in the auth area (provided the
client is challenged for authentication details). However, if the
credentials provided using --username are invalid, it then tries to use
the ones from the auth directory.

http://svnbook.red-bean.com/nightly/en/svn.serverconfig.netmodel.html#sv
n.serverconfig.netmodel.credcache
" Here is a final summary that describes how a Subversion client behaves
when it receives an authentication challenge.

1. First, the client checks whether the user specified any credentials
as command-line options (--username and/or --password). If so, the
client will try to use those credentials to authenticate against the
server.

2. If no command-line credentials were provided, or the provided ones
were invalid, the client looks up the server's hostname, port, and realm
in the runtime configuration's auth/ area, to see whether appropriate
credentials are cached there. If so, it attempts to use those
credentials to authenticate.

3. Finally, if the previous mechanisms failed to successfully
authenticate the user against the server, the client resorts to
interactively prompting the user for valid credentials (unless
instructed not to do so via the --non-interactive option or its
client-specific equivalents)."

Given

-----Original Message-----
From: Craig Holmquist [mailto:craig.holmquist_at_neurotronics.com]
Sent: 05 August 2009 13:37
To: 'Ryan Schmidt'
Cc: users_at_subversion.tigris.org
Subject: RE: --username and --password ignored with NTLM authentication?

From
http://svnbook.red-bean.com/nightly/en/svn.tour.initial.html#svn.tour.in
itial.different-user :

"Since Subversion caches auth credentials by default (both username and
password), it conveniently remembers who you were acting as the last
time you modified your working copy. But sometimes that's not
helpful-particularly if you're working in a shared working copy such as
a system configuration directory or a web server document root. In this
case, just pass the --username option on the command line, and
Subversion will attempt to authenticate as that user, prompting you for
a password if necessary."

The passage you quote from
http://svnbook.red-bean.com/en/1.5/svn.serverconfig.netmodel.html just
says that the client doesn't send any auth credentials unless the server
explicitly asks for them; it doesn't mention anything about where the
client obtains the credentials. Since the server doesn't cache any
credentials (AFAIK), a server that's set up to require authentication
for all operations will request them all the time.

-----Original Message-----
From: Ryan Schmidt [mailto:subversion-2009b_at_ryandesign.com]
Sent: Tuesday, August 04, 2009 6:47 PM
To: Craig Holmquist
Cc: users_at_subversion.tigris.org
Subject: Re: --username and --password ignored with NTLM authentication?

On Aug 4, 2009, at 14:06, Craig Holmquist wrote:

> I've noticed that in Subversion 1.6.3 (and probably all earlier
> versions),
> if the server sends an NTLM challenge, and client responds with the
> logged-in user's credentials even if the --username and --password
> command
> line options are given. That is, the name in the revision log is the
> logged-in user instead of the user passed on the command line.
>
> Is this intentional? In my opinion it's counterintuitive. The
> Subversion
> book states that --username and --password take precedence over any
> cached
> credentials;

Where did you read this? It was my understanding that the values
specified in --username and --password are only used if the client
can't find the necessary information in the auth cache. And I didn't
think this varied based on your authentication method.

http://svnbook.red-bean.com/en/1.5/svn.serverconfig.netmodel.html

"One last word about svn's authentication behavior, specifically
regarding the --username and --password options. Many client
subcommands accept these options, but it is important to understand
that using these options does not automatically send credentials to
the server. As discussed earlier, the server "pulls" credentials from
the client when it deems necessary; the client cannot "push" them at
will. If a username and/or password are passed as options, they will
be presented to the server only if the server requests them. These
options are typically used to authenticate as a different user than
Subversion would have chosen by default (such as your system login
name) or when trying to avoid interactive prompting (such as when
calling svn from a script)."

But I may have no idea what I'm talking about, as I don't even know
what NTLM is.

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageI
d=2380420

To unsubscribe from this discussion, e-mail:
[users-unsubscribe_at_subversion.tigris.org].

This e-mail is confidential and the information contained in it may be
privileged. It should not be read, copied or used by anyone other than the
intended recipient. If you have received it in error, please contact the sender
immediately by telephoning (+44 (0)20 7623 8000) or by return email, and delete
the e-mail and do not disclose its contents to any person. We believe, but do
not warrant, that this e-mail and any attachments are virus free, but you must
take full responsibility for virus checking. Please refer to
http://www.dresdnerkleinwort.com/disc/email/ and read our e-mail disclaimer
statement and monitoring policy.

Dresdner Kleinwort is a brand and trading name of the Commerzbank group and
operates through Commerzbank AG, Dresdner Kleinwort Limited and their affiliated
or associated companies. Commerzbank AG is a company incorporated in Germany
with limited liability and registered in England (registered no. FC008139, place
of business 60 Gracechurch Street, London EC3V 0HR) and is authorised by
Bundesanstalt fuer Finanzdienstleistungsaufsicht (BaFin) and authorised and
subject to limited regulation by the Financial Services Authority (FSA).
Dresdner Kleinwort Limited is a company incorporated in England with limited
liability (registered no. 551334, registered office 30 Gresham Street, London
EC2V 7PG) and is authorised and regulated by the FSA. Details about the extent
of our authorisations and regulation are available on request.

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2380429

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-08-05 15:26:19 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.