[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

svnserve + SASL: Only works with plaintext 'userPassword', so what's the point?

From: Donner, Sean P <sean.p.donner_at_lmco.com>
Date: Tue, 25 Jan 2011 12:51:12 -0700

I'm attempting to setup svnserve with SASL support on my Slackware 13.1 server and after
some trial and error I'm able to get it to work with the configuration listed at the end of this
post.

You'll notice that the output of sasldblistusers2 shows my test user as having both an
encrypted cmusaslsecretOTP password as well as a plain text userPassword. i.e., if I were to
run the command ‘strings /etc/sasl2/my_sasldb’ I would see the test users' password in
plaintext. These two password entries were created with the following subversion-book
recommended command:

saslpasswd2 -c -f /etc/sasl2/my_sasldb -u myrepo test

After reading man saslpasswd2 I see the following option:

"-n Don't set the plaintext userPassword property for the user. Only mechanism-specific
secrets will be set (e.g. OTP, SRP)"

This is exactly what I want to do, suppress the plain text password and only use the
mechanism-specific secret (OTP in my case). So I clear out /etc/sasl2/my_sasldb and rerun
saslpasswd2 as:

saslpasswd2 -n -c -f /etc/sasl2/my_sasldb -u myrepo test

I then follow it up with a sasldblistusers2 and I see:

$ sasldblistusers2 -f /etc/sasl2/my_sasldb
test_at_myrepo: cmusaslsecretOTP

Perfect! Now I have only encrypted passwords in my sasldb.... only neither the Linux svn
client nor the Windows TortoiseSVN client can connect to my repo anymore. They both
present me with an endless loop of user/pass challenge. As soon as I rerun saslpasswd2
without the '-n' flag, everything works again.

So, what’s the point of svnserve supporting SASL if my sasldb must store its passwords in
plaintext to work?

Thanks,
-Sean

============CONFIGUR​ATION===============​=

-----------------------------
svnserve.conf
-----------------------------
[general]
anon-access = read
auth-access = write
realm = myrepo

[sasl]
use-sasl = true
min-encryption = 128
max-encryption = 256

-----------------------------
/etc/sasl2/svn.conf
-----------------------------
pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /etc/sasl2/my_sasldb
mech_list: DIGEST-MD5

-----------------------------
sasldb users
-----------------------------
$ sasldblistusers2 -f /etc/sasl2/my_sasldb
test_at_myrepo: cmusaslsecretOTP
test_at_myrepo: userPassword

Received on 2011-01-26 08:06:48 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.