On Tue, Jan 25, 2011 at 12:51:12PM -0700, Donner, Sean P wrote:
> I'm attempting to setup svnserve with SASL support on my Slackware 13.1 server and after
> some trial and error I'm able to get it to work with the configuration listed at the end of this
> post.
>
> You'll notice that the output of sasldblistusers2 shows my test user as having both an
> encrypted cmusaslsecretOTP password as well as a plain text userPassword. i.e., if I were to
> run the command ‘strings /etc/sasl2/my_sasldb’ I would see the test users' password in
> plaintext. These two password entries were created with the following subversion-book
> recommended command:
>
> saslpasswd2 -c -f /etc/sasl2/my_sasldb -u myrepo test
>
> After reading man saslpasswd2 I see the following option:
>
> "-n Don't set the plaintext userPassword property for the user. Only mechanism-specific
> secrets will be set (e.g. OTP, SRP)"
>
> This is exactly what I want to do, suppress the plain text password and only use the
> mechanism-specific secret (OTP in my case). So I clear out /etc/sasl2/my_sasldb and rerun
> saslpasswd2 as:
>
> saslpasswd2 -n -c -f /etc/sasl2/my_sasldb -u myrepo test
>
> I then follow it up with a sasldblistusers2 and I see:
>
> $ sasldblistusers2 -f /etc/sasl2/my_sasldb
> test_at_myrepo: cmusaslsecretOTP
>
> Perfect! Now I have only encrypted passwords in my sasldb.... only neither the Linux svn
> client nor the Windows TortoiseSVN client can connect to my repo anymore. They both
> present me with an endless loop of user/pass challenge. As soon as I rerun saslpasswd2
> without the '-n' flag, everything works again.
>
> So, what’s the point of svnserve supporting SASL if my sasldb must store its passwords in
> plaintext to work?
It's because of how CramMD5 works.
"The server needs access to the users' plain text passwords."
http://en.wikipedia.org/wiki/CRAM-MD5
Stefan
Received on 2011-01-26 12:05:01 CET