Re: svnserve + SASL: Only works with plaintext 'userPassword', so what's the point?

On Wed, Jan 26, 2011 at 07:08:55PM -0700, Donner, Sean P wrote:
> > It's because of how CramMD5 works.
> >
> > "The server needs access to the users' plain text passwords."
> > http://en.wikipedia.org/wiki/CRAM-MD5
> >
> > Stefan
>
> Perhaps I'm wrong, but I was under the impression that the 1.6.x version of
> 'svnserve' natively supports CRAM-MD5; meaning you *don't* need to set
> 'use-sasl = true' to get this functionality.

That's correct. But you can still configure SASL do to CRAM-MD5.
So there might be a bug in svn.
Maybe it still assumes that plaintext passwords will always be present.

> So my original question stands as
> to what SASL is buying us when it still requires plain-text passwords to be
> stored on the server?

Unfortunately the sasl stuff is not being maintained very actively.
The developers who wrote it aren't active anymore.
There are a couple of outstanding issues (some with half-done patches
floating around) that haven't been addressed due to lack of interest
and resources.

So if you want to help out with investigating this problem more closely
and possibly also help with fixing this the Subversion project would
be grateful.

Stefan
Received on 2011-01-27 03:27:19 CET