subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Victor Sudakov <suda...@sibptus.tomsk.ru>
Subject Re: sasl mechanisms order
Date Mon, 26 Jul 2010 05:53:44 GMT
Daniel Shahaf wrote:
> > 
> > I have the following line in /usr/local/lib/sasl2/svn.conf:
> > mech_list: gssapi digest-md5 anonymous
> > 
> > How can I guarantee that the subversion client/server will always use
> > GSSAPI before DIGEST-MD5? Or a more generic question, how can I change
> > the order of mechanisms if I have to?
> > 
> 
> Looking at subversion/libsvn_ra_svn/{client.c,cyrus_auth.c}, it seems that the
> following order is used:
> 
> * EXTERNAL (i.e., ssh tunnel)
> * ANONYMOUS
> * ${server-reported mechanisms, in the order suggested by the server}
> * CRAM-MD5 (used via internal_auth.c even if SASL doesn't support it)
> 
> I don't see a knob that lets you manipulate the order.

Then how can I manipulate "the order suggested by the server"? The
server is svnserve.

> 
> > I have experimented with the order of mechanisms in the mech_list
> > definition, but the result is always the same ( ANONYMOUS GSSAPI
> > DIGEST-MD5 ). It's fine so far, but how can I change the order if
> > needed?
> > 
> 
> Is your problem that GSSAPI is before/after DIGEST-MD5, or that it is
> before/after ANONYMOUS?  These are quite different situations...

Right now GSSAPI comes before DIGEST-MD5 and this is fine with me. I
just don't want this order to change suddenly with a new version of
subversion or cyrus-sasl or something, because it will break SSO.

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov@sibptus.tomsk.ru

Mime
View raw message