1

I have svnserve configured to run from inetd and svnserve.conf set to use sasl for authentication. This is so I could allow access to some repositories by users who do not have system-wide accounts using svn://.

However, for users who do have a system account (such as myself), I prefer to use svn+ssh:// for the public key authentication. It was my understanding that when run as svnserve -t, svnserve would not ask for authentication and would use the SSH-authenticated current user. I feel like this used to work. Today when I went to update a working copy I had using the svn+ssh:// repository path it started asking me for a password.

I was able to confirm that it is not SSH asking me for the password, the public key authentication is succeeding, it is svnserve/sasl asking me for a password. If I turn off sasl, it seems to work as expected, but I prefer sasl over the plaintext password file. I'm not sure if this never worked or it was broken by a recent upgrade that I didn't notice. This is with subversion 1.9.4 on Debian stretch.

Ryan Babchishin
  • 6,260
  • 2
  • 17
  • 37
sparkyb
  • 121
  • 3
  • It sounds like you should be asked for a password. But I have no idea. Where did you get this idea that it should work that way? – Ryan Babchishin Aug 30 '16 at 02:27
  • from the svnserve man page: "-t, --tunnel Causes svnserve to run in tunnel mode, which is just like the inetd mode of operation (serve one connection over stdin/stdout) except that the connection is considered to be pre-authenticated with the username of the current uid." Also, the [SVN book](http://svnbook.red-bean.com/en/1.7/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.sshauth) "When using svn+ssh:// URLs to access a repository, remember that it's the ssh program prompting for authentication, and not the svn client program." – sparkyb Aug 30 '16 at 03:15

1 Answers1

1

After reading the svnserve source, I found the answer. Even with -t, it still delegates to sasl to authenticate, it's just that external authentication via the SSH user is now an option. But to make that work, I had to add EXTERNAL as an allowed mechanism to the mech_list in my /usr/lib/sasl2/svn.conf file.

sparkyb
  • 121
  • 3