subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cooke, Mark" <mark.co...@siemens.com>
Subject RE: Subversion authentication via SASL GSSAPI and likewise open
Date Thu, 26 Jul 2012 08:50:08 GMT
> On Thu, Jul 26, 2012 at 9:38 AM, Cooke, Mark 
> <mark.cooke@siemens.com> wrote:
> 
> 
> 	> -----Original Message-----
> 	> From: xumuku [mailto:xumuku@gmail.com]
> 	> Sent: 25 July 2012 16:49
> 	> To: subversion_users@googlegroups.com
> 	> Cc: users@subversion.apache.org; xumuku@gmail.com
> 	> Subject: Re: Subversion authentication via SASL GSSAPI and
> 	> likewise open
> 	>
> 	> My current  /usr/lib/sasl2/svn.conf is:
> 	>
> 	> pwcheck_method: saslauthd
> 	> mech_list: GSSAPI
> 	> saslauthd_path: /var/run/saslauthd/mux
> 	> log_level: 7
> 	>
> 	> But I get the error:
> 	> Cannot negotiate authentication mechanism
> 	>
> 	> 1. Does *anyone* have Windows SVNServe authenticating to
> 	> AD/Kerberos via SASL/GSSAPI?
> 	> 
> <http://stackoverflow.com/questions/10407077/does-anyone-have-
> windows-svnserve-authenticating-to-ad-kerberos-via-sasl-gssap>
> 	> 2. Cannot negotiate authentication mechanism
> 	> 
> <http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065
> &viewType=browseAll&dsMessageId=65725#messagefocus>
> 	
> 	No (sorry), we use https via apache and mod_ldap to 
> authenticate against AD.  I am interested to know why you 
> think that is not secure enough (perhaps you have *nix 
> clients storing plain text passwords?)
> 	
> 	~ mark c
> 
> Because it works only with PLAIN auth:

Ah, ok, yes, I did say we use https.  The server is configured to redirect all http traffic
to https (using mod_ssl) and authentication then happens in that encrypted environment (or
am I being naïve here?)

> tcpdump -ni eth0 -A src host 192.168.1.2 and tcp dst port 3690
> 
> 
> 17:10:10.488834 IP 192.168.1.2.59751 > 192.168.1.1.3690: 
> Flags [P.], seq 145:184, ack 166, win 65115, length 39
> E..O.b@...."..@...@     .g.j....~...P..[....( PLAIN ( 
> 21:AHVzZXIAcGFzc3dvcmQ=
> 
> 
> http://www.opinionatedgeek.com/dotnet/tools/base64decode/ - 
> and you can see my sername and password
> 
> 
> We already have Apache via mod_svn and mod_ldap but it is very slow.

What is very slow?  I know we don't have many users and are on an internal network but I have
no issue with our speeds...

~ mark c

Mime
View raw message