[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Subversion authentication via SASL GSSAPI and likewise open

From: Cooke, Mark <mark.cooke_at_siemens.com>
Date: Thu, 26 Jul 2012 10:21:00 +0100

Note: please reply in-line and, if at all possible, in _plain_ text, not html...

> On Thu, Jul 26, 2012 at 11:50 AM, Cooke, Mark
> <mark.cooke_at_siemens.com> wrote:
>
> > On Thu, Jul 26, 2012 at 9:38 AM, Cooke, Mark
> > <mark.cooke_at_siemens.com> wrote:
> >
> >
> > > -----Original Message-----
> > > From: xumuku [mailto:xumuku_at_gmail.com]
> > > Sent: 25 July 2012 16:49
> > > To: subversion_users_at_googlegroups.com
> > > Cc: users_at_subversion.apache.org; xumuku_at_gmail.com
> > > Subject: Re: Subversion authentication via
> SASL GSSAPI and
> > > likewise open
> > >
> > > My current /usr/lib/sasl2/svn.conf is:
> > >
> > > pwcheck_method: saslauthd
> > > mech_list: GSSAPI
> > > saslauthd_path: /var/run/saslauthd/mux
> > > log_level: 7
> > >
> > > But I get the error:
> > > Cannot negotiate authentication mechanism
> > >
> > > 1. Does *anyone* have Windows SVNServe
> authenticating to
> > > AD/Kerberos via SASL/GSSAPI?
> > >
> > <http://stackoverflow.com/questions/10407077/does-anyone-have-
> > windows-svnserve-authenticating-to-ad-kerberos-via-sasl-gssap>
> > > 2. Cannot negotiate authentication mechanism
> > >
> > <http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065
> > &viewType=browseAll&dsMessageId=65725#messagefocus>
> >
> > No (sorry), we use https via apache and mod_ldap to
> > authenticate against AD. I am interested to know why you
> > think that is not secure enough (perhaps you have *nix
> > clients storing plain text passwords?)
> >
> > ~ mark c
> >
> > Because it works only with PLAIN auth:
>
> Ah, ok, yes, I did say we use https. The server is
> configured to redirect all http traffic to https (using
> mod_ssl) and authentication then happens in that encrypted
> environment (or am I being naïve here?)
>
> > tcpdump -ni eth0 -A src host 192.168.1.2 and tcp dst port 3690
> >
> >
> > 17:10:10.488834 IP 192.168.1.2.59751 > 192.168.1.1.3690:
> > Flags [P.], seq 145:184, ack 166, win 65115, length 39
> > E..O.b@...."..@...@ .g.j....~...P..[....( PLAIN (
> > 21:AHVzZXIAcGFzc3dvcmQ=
> >
> >
> > http://www.opinionatedgeek.com/dotnet/tools/base64decode/ -
> > and you can see my sername and password
> >
> >
> > We already have Apache via mod_svn and mod_ldap but
> it is very slow.
>
> What is very slow? I know we don't have many users and
> are on an internal network but I have no issue with our speeds...
>
> ~ mark c
>
> -----Original Message-----
> From: slaventii [mailto:xumuku_at_gmail.com]
> Sent: 26 July 2012 09:58
> To: Cooke, Mark
> Cc: users_at_subversion.apache.org
> Subject: Re: Subversion authentication via SASL GSSAPI and
> likewise open
>
> >Ah, ok, yes, I did say we use https. The server is
> configured to redirect all http traffic >to https (using
> mod_ssl) and authentication then happens in that encrypted
> >environment (or am I being naïve here?)
> As I wrote we already have Apache with HTTPS. All is good
> except speed.

Sorry, I read the list, not links to other sites.

> >What is very slow? I know we don't have many users and are
> on an internal network >but I have no issue with our speeds...
>
> And this is not only our opinion - Svnserve VS mod_dav_svn
> <http://stackoverflow.com/questions/502585/svnserve-vs-mod-dav-svn> .
>
> SVN + Apache - slow.
> SVN + SASL-Ldap - insecure.
> SVN + SASL-GSSAPI - in progress :)

As mentioned in one of the answers to your stackoverflow question (seeing as you insist on referencing it), svn 1.7 uses a new, faster protocol for mod_dav which you will be using by default if setting up a new repo and using up-to-date clients... Remember the version (1.4.5) benchmarked was released in 2007!

Have you actually run any benchmark trials yourself comparing https and svnserve on your network? If your network is slow (not the server) then it may not actually matter which you use!

~ mark c
Received on 2012-07-26 15:27:58 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.