[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: sasl mechanisms order

From: Alec Kloss <alec.kloss_at_oracle.com>
Date: 26 Jul 2010 14:54:13 -0500

On 2010-07-26 14:30, Victor Sudakov wrote:
> Daniel Shahaf wrote:
> > > > >
> > > > > I have the following line in /usr/local/lib/sasl2/svn.conf:
> > > > > mech_list: gssapi digest-md5 anonymous
> > > > >
> > > > > How can I guarantee that the subversion client/server will always use
> > > > > GSSAPI before DIGEST-MD5? Or a more generic question, how can I change
> > > > > the order of mechanisms if I have to?
> > > > >
> > > >
> > > > Looking at subversion/libsvn_ra_svn/{client.c,cyrus_auth.c}, it seems that the
> > > > following order is used:
> > > >
> > > > * EXTERNAL (i.e., ssh tunnel)
> > > > * ANONYMOUS
> > > > * ${server-reported mechanisms, in the order suggested by the server}
> > > > * CRAM-MD5 (used via internal_auth.c even if SASL doesn't support it)
> > > >
> > > > I don't see a knob that lets you manipulate the order.
> > >
> > > Then how can I manipulate "the order suggested by the server"? The
> > > server is svnserve.
> > >
> >
> > Looking in subversion/svnserve/cyrus_auth.c, the list of mechansms is obtained
> > directly from SASL:
>
> [dd]
>
> >
> > so you'd have to look up in the SASL docs how to configure the ordering of
> > mechanisms. (I don't know offhand how to configure that.)
>
> I was unable to find this in the SASL docs. It only says that
> mech_list is a "Whitespace separated list of mechanisms to allow (e.g.
> 'plain otp'). Used to restrict the mechanisms to a subset of the
> installed plugins."
>
> While googling I found even such statements as
> http://www.techienuggets.com/CommentDetail?tx=188636
>
> --
> Victor Sudakov, VAS4-RIPE, VAS47-RIPN
> sip:sudakov_at_sibptus.tomsk.ru
>

As far as I can tell (and as amazing as this sounds), the order of the
offered mechanisms from Cyrus sasl is, by default, the reverse of the
order that the library finds them. This would be, in effect, the
reverse physical directory order of the modules in
/usr/[local]/lib/sasl2/ which you can find with ls -U. I've confirmed
this by making copies and deletes of the .so files in that directory to
rearrange the ordering. The list is reversed from the order they're
found in because mechanism list is a linked list and new entries are
prepened (around server.c:392).

As the link your provided mentions, Cyrus SASL believes it's the client
that should select the preferred mechanism from the list offered by the
server, not just the first one.

-- 
Alec.Kloss_at_oracle.com     The views expressed are my own and 
do not necessarily reflect the views of Oracle.  PGP key at
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xEBD1FF14

  • application/pgp-signature attachment: stored
Received on 2010-07-26 21:54:53 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.