[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: sasl mechanisms order

From: Victor Sudakov <sudakov_at_sibptus.tomsk.ru>
Date: Mon, 26 Jul 2010 12:53:44 +0700

Daniel Shahaf wrote:
> >
> > I have the following line in /usr/local/lib/sasl2/svn.conf:
> > mech_list: gssapi digest-md5 anonymous
> >
> > How can I guarantee that the subversion client/server will always use
> > GSSAPI before DIGEST-MD5? Or a more generic question, how can I change
> > the order of mechanisms if I have to?
> >
>
> Looking at subversion/libsvn_ra_svn/{client.c,cyrus_auth.c}, it seems that the
> following order is used:
>
> * EXTERNAL (i.e., ssh tunnel)
> * ANONYMOUS
> * ${server-reported mechanisms, in the order suggested by the server}
> * CRAM-MD5 (used via internal_auth.c even if SASL doesn't support it)
>
> I don't see a knob that lets you manipulate the order.

Then how can I manipulate "the order suggested by the server"? The
server is svnserve.

>
> > I have experimented with the order of mechanisms in the mech_list
> > definition, but the result is always the same ( ANONYMOUS GSSAPI
> > DIGEST-MD5 ). It's fine so far, but how can I change the order if
> > needed?
> >
>
> Is your problem that GSSAPI is before/after DIGEST-MD5, or that it is
> before/after ANONYMOUS? These are quite different situations...

Right now GSSAPI comes before DIGEST-MD5 and this is fine with me. I
just don't want this order to change suddenly with a new version of
subversion or cyrus-sasl or something, because it will break SSO.

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov_at_sibptus.tomsk.ru
Received on 2010-07-26 07:54:26 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.