[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Subversion authentication via SASL GSSAPI and likewise open

From: Cooke, Mark <mark.cooke_at_siemens.com>
Date: Thu, 26 Jul 2012 09:50:08 +0100

> On Thu, Jul 26, 2012 at 9:38 AM, Cooke, Mark
> <mark.cooke_at_siemens.com> wrote:
>
>
> > -----Original Message-----
> > From: xumuku [mailto:xumuku_at_gmail.com]
> > Sent: 25 July 2012 16:49
> > To: subversion_users_at_googlegroups.com
> > Cc: users_at_subversion.apache.org; xumuku_at_gmail.com
> > Subject: Re: Subversion authentication via SASL GSSAPI and
> > likewise open
> >
> > My current /usr/lib/sasl2/svn.conf is:
> >
> > pwcheck_method: saslauthd
> > mech_list: GSSAPI
> > saslauthd_path: /var/run/saslauthd/mux
> > log_level: 7
> >
> > But I get the error:
> > Cannot negotiate authentication mechanism
> >
> > 1. Does *anyone* have Windows SVNServe authenticating to
> > AD/Kerberos via SASL/GSSAPI?
> >
> <http://stackoverflow.com/questions/10407077/does-anyone-have-
> windows-svnserve-authenticating-to-ad-kerberos-via-sasl-gssap>
> > 2. Cannot negotiate authentication mechanism
> >
> <http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065
> &viewType=browseAll&dsMessageId=65725#messagefocus>
>
> No (sorry), we use https via apache and mod_ldap to
> authenticate against AD. I am interested to know why you
> think that is not secure enough (perhaps you have *nix
> clients storing plain text passwords?)
>
> ~ mark c
>
> Because it works only with PLAIN auth:

Ah, ok, yes, I did say we use https. The server is configured to redirect all http traffic to https (using mod_ssl) and authentication then happens in that encrypted environment (or am I being naïve here?)

> tcpdump -ni eth0 -A src host 192.168.1.2 and tcp dst port 3690
>
>
> 17:10:10.488834 IP 192.168.1.2.59751 > 192.168.1.1.3690:
> Flags [P.], seq 145:184, ack 166, win 65115, length 39
> E..O.b@...."..@...@ .g.j....~...P..[....( PLAIN (
> 21:AHVzZXIAcGFzc3dvcmQ=
>
>
> http://www.opinionatedgeek.com/dotnet/tools/base64decode/ -
> and you can see my sername and password
>
>
> We already have Apache via mod_svn and mod_ldap but it is very slow.

What is very slow? I know we don't have many users and are on an internal network but I have no issue with our speeds...

~ mark c
Received on 2012-07-26 15:32:45 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.