Stefan Sperling schrieb:
> On Mon, Aug 22, 2011 at 01:41:59PM +0200, 1983-01-06_at_gmx.net wrote:
>> no, I did not set that value neither on Windows nor on FreeBSD.
Using Negotiate does require setting a username. That's what the
credentials cache is for.
>
> You expect svn to get the proxy username from the ~/.subversion/auth
> cache? That expection is not unreasonable, but it is not what the
> implementation does, as far as I undestand (see
> subversion/libsvn_ra_neon/session.c).
Stefan,
any news on this?
I made some digging in the subversion and neon code and notices some
interesting and odd stuff.
If you take a look at the aforementioned session.c in line 865 [1]
you'll see that the code is correct, Negotiate auth is added if no
proxy_username is set. So my assumption was correct. It should work
out-of-the box.
Digging deeper into that file shows that Negotiate auth for servers (not
proxy servers) is done only when the server is servered with HTTPS [2].
I took a look back at neon_auth.h (define NE_AUTH_NEGOTIATE) [3] and it
constantly says that Digest and Negotiate are unsecure and require a
secure connection which is complete non-sense. Kerberos was designed to
provide security in unsecure networks. This is definitively wrong
documentation.
What do you say?
Mike
[1]
http://svn.apache.org/viewvc/subversion/tags/1.6.17/subversion/libsvn_ra_neon/session.c?view=markup#l865
[2]
http://svn.apache.org/viewvc/subversion/tags/1.6.17/subversion/libsvn_ra_neon/session.c?view=markup#l852
[3] http://svn.webdav.org/repos/projects/neon/tags/0.29.6/src/ne_auth.h
Received on 2011-08-23 22:48:07 CEST