SVN Authentication SASL GSSAPI on EL6

From: Prashanth Sundaram <prashanth.sundaram_at_laurioncap.com>
Date: Tue, 7 Aug 2012 17:52:09 +0000

Hello,

I have seen a lot of threads in the archives but none seem to have solved the issues or apply to my current requirement. I did extensive search before writing here.

We currently use the auth_ldap with apache for authentication and due to security compliance we have to change the auth for SVN. The requirement is pretty simple: Users cannot save password unencrypted locally on clients. Of course, the password can be set to encrypt by individual users by editing the ''servers'' file but due to size of the firm, we cannot monitor this and be sure that they are doing it.

The repo must be accessible via HTTPS for different servers and support Windows and Unix clients. I am hosting repo on a RHEL6.2 host via Apache and use SASL-GSSAPI to authenticate via Kerberos.(Server 2008 R2).
Subversion -version=1.6.11

I have been struggling to get SASL + GSSAPI to work and wanted to get some help with same.

==== /etc/httpd/conf.d/svn..conf =====
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
LoadModule auth_kerb_module modules/mod_auth_kerb.so

<VirtualHost 10.10.1.166:80>
Redirect / https://svn-dr.laurion.corp
</VirtualHost>

<VirtualHost 10.10.1.166:443>
ServerName svn-dr.domain.corp

    ErrorLog /var/log/httpd/error.log
    LogLevel debug
    CustomLog /var/log/httpd/access.log combined
    ServerSignature On

    SSLEngine on
    SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    CustomLog /var/log/httpd/ssl_request_log \
        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

    <Location />
        DAV svn
        SVNPath /proj/svn/svn.domain.corp
        AuthName "Active Directory Login"
        AuthType Kerberos
        Krb5Keytab /etc/krb5.keytab
        KrbAuthRealm DOMAIN.CORP
        KrbMethodNegotiate On
        KrbMethodK5Passwd On
        KrbSaveCredentials off
        KrbVerifyKDC Off
        Require valid-user
        SSLRequireSSL

        #Kerberos Authentication
        #AuthType Kerberos
        #AuthName "Kerberos v5 Login"
        #Krb5AuthToLocal on
        #Krb5Keytab /etc/krb5.keytab

        # Disallow anonymous access
        require valid-user
     </Location>
</VirtualHost>

===== /etc/sasl2/svn.conf =====
mech_list: gssapi
keytab: /etc/krb5.keytab

==== /etc/krb5.keytab ====
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
   3 08/07/12 12:29:07 HTTP/sys-dr1.site.domain.corp_at_DOMAIN.CORP (des-cbc-crc)
   3 08/07/12 12:29:07 HTTP/sys-dr1.site.domain.corp_at_DOMAIN.CORP (des-cbc-md5)
   3 08/07/12 12:29:07 HTTP/sys-dr1.site.domain.corp_at_DOMAIN.CORP (arcfour-hmac)
   3 08/07/12 12:29:07 HTTP/sys-dr1.site.domain.corp_at_DOMAIN.CORP (aes256-cts-hmac-sha1-96)
   3 08/07/12 12:29:07 HTTP/sys-dr1.site.domain.corp_at_DOMAIN.CORP (aes128-cts-hmac-sha1-96)
   5 08/07/12 12:29:07 HTTP/svn-dr.laurion.corp_at_DOMAIN.CORP (des-cbc-crc)
   5 08/07/12 12:29:07 HTTP/svn-dr.laurion.corp_at_DOMAIN.CORP (des-cbc-md5)
   5 08/07/12 12:29:08 HTTP/svn-dr.laurion.corp_at_DOMAIN.CORP (arcfour-hmac)
   5 08/07/12 12:29:08 HTTP/svn-dr.laurion.corp_at_DOMAIN.CORP (aes256-cts-hmac-sha1-96)
   5 08/07/12 12:29:08 HTTP/svn-dr.laurion.corp_at_DOMAIN.CORP (aes128-cts-hmac-sha1-96)
   7 08/07/12 12:29:08 svn/svn-dr.laurion.corp_at_DOMAIN.CORP (des-cbc-crc)
   7 08/07/12 12:29:08 svn/svn-dr.laurion.corp_at_DOMAIN.CORP (des-cbc-md5)
   7 08/07/12 12:29:08 svn/svn-dr.laurion.corp_at_DOMAIN.CORP (arcfour-hmac)
   7 08/07/12 12:29:08 svn/svn-dr.laurion.corp_at_DOMAIN.CORP (aes256-cts-hmac-sha1-96)
   7 08/07/12 12:29:08 svn/svn-dr.laurion.corp_at_DOMAIN.CORP (aes128-cts-hmac-sha1-96)
   8 08/07/12 12:29:08 svn/sys-dr1.site.domain.corp_at_DOMAIN.CORP (des-cbc-crc)
   8 08/07/12 12:29:08 svn/sys-dr1.site.domain.corp_at_DOMAIN.CORP (des-cbc-md5)
   8 08/07/12 12:29:09 svn/sys-dr1.site.domain.corp_at_DOMAIN.CORP (arcfour-hmac)
   8 08/07/12 12:29:09 svn/sys-dr1.site.domain.corp_at_DOMAIN.CORP (aes256-cts-hmac-sha1-96)
   8 08/07/12 12:29:09 svn/sys-dr1.site.domain.corp_at_DOMAIN.CORP (aes128-cts-hmac-sha1-96)

===== /proj/svn/svn.domain.corp/conf/svnserv.conf =====
[general]
anon-access = none
auth-access = write
authz-db = authz
realm = LAURION.CORP

[sasl]
use-sasl = true
min-encryption = 0
max-encryption = 56

Thanks,
Prashanth

________________________________
Confidentiality Notice from Laurion Capital Management LP:

The information in this message, including any attachment, is confidential and intended for use only by the designated recipient(s) named above. It is the property of Laurion Capital Management LP or its affiliates. If you are not the intended recipient, please return the message to the sender and delete all copies of it, including attachments, from your computer. Unauthorized use, disclosure, dissemination or copying of this message or any part hereof is strictly prohibited. This message is for information purposes only. The information expressed herein may be changed at any time without notice or obligation to update.

No warranty is made as to the completeness or accuracy of the information contained in this communication. Any views or opinions presented are those of only the author and do not necessarily represent those of Laurion Capital Management LP or its related entities. This communication is for information purposes only and should not be regarded as an offer, solicitation or recommendation to sell or purchase any security or other financial product.

Email transmission cannot be guaranteed to be secure, virus-free or error-free. Therefore, we do not represent that this message is virus-free, complete or accurate and it should not be relied upon as such. Laurion Capital Management LP and its affiliates accept no liability for any damage sustained in connection with the content or transmission of this message.

Laurion Capital Management LP and its related entities reserve the right to monitor all e-mail communications through their networks.
Received on 2012-08-07 19:55:41 CEST

This message: [ Message body ]
Next message: Blair Zajac: "Re: How to stop delete files/directory from SVN Repo Browser"
Previous message: vishwajeet singh: "Re: Suggestion required on best migration tool for VSS 6.0 to SVN 1.7.5 migration"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]