I'm attempting to setup svnserve with SASL support on my Slackware 13.1 server and after some trial and error I'm able to get it to work with the configuration listed below:
svnserve.conf
[general]
anon-access = read
auth-access = write
realm = myrepo
[sasl]
use-sasl = true
min-encryption = 128
max-encryption = 256
/etc/sasl2/svn.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /etc/sasl2/my_sasldb
mech_list: DIGEST-MD5
sasldb users
$ sasldblistusers2 -f /etc/sasl2/my_sasldb
test@myrepo: cmusaslsecretOTP
test@myrepo: userPassword
You'll notice that the output of sasldblistusers2 shows my test user as having both an encrypted cmusaslsecretOTP password as well as a plain text userPassword passwd. i.e., if I were to run strings /etc/sasl2/my_sasldb I would see the test users' password in plaintext. These two password entries were created with the following subversion book recommended command:
saslpasswd2 -c -f /etc/sasl2/my_sasldb -u myrepo test
After reading man saslpasswd2 I see the following option:
-n Don't set the plaintext userPassword property for the user. Only mechanism-specific secrets will be set (e.g. OTP, SRP)
This is exactly what I want to do, suppress the plain text password and only use the mechanism-specific secret (OTP in my case). So I clear out /etc/sasl2/my_sasldb and rerun saslpasswd2 as:
saslpasswd2 -n -c -f /etc/sasl2/my_sasldb -u myrepo test
I then follow it up with a sasldblistusers2 and I see:
$ sasldblistusers2 -f /etc/sasl2/my_sasldb
test@myrepo: cmusaslsecretOTP
Perfect! I think, now I have only encrypted passwords.... only neither the Linux svn client nor the Windows TortoiseSVN client can connect to my repo anymore. They both present me with the user/pass challenge but that's as far as I get.
TLDR
So, what is the point of SVN supporting SASL if my sasldb must store its passwords in plaintext to work?
