1

We currently use the auth_ldap with apache for authentication and due to security compliance we have to change the auth for SVN.

The requirement is pretty simple. Users cannot save password unencrypted locally on clients. Ofcourse, the password can be set to encrypt by individual users by editing the ''servers'' but due to size of the firm, we cannot monitor this and be sure that they are doing it.

What are the available authentication mechanisms?

1) SASL + GSSAPI: I have been struggling to implement this for a while. Looks like it no longer works. See here

2) [RULED OUT] SSH Keys: There is a quite some overhead in adding and removing keys. But this is doable. Ruled out as we have some services that access over https.

3) Passwords: There must be some way to be sure that password are stored encrypted on user home dir.

PS: Not interested in deploying the repo on Widows server.

I'd appreciate if someone can add some insight into possible authentication mechanisms per my requirement.

SYSTEMS: SVN 1.6.11 on apache & RHEL6.2, Windows Server 2008 R2 Active Directory.

Prashanth Sundaram
  • 161
  • 3
  • Did you try that actually? Did you read [this](https://svn.apache.org/viewvc/subversion/trunk/notes/sasl.txt?view=markup#l205)? Did you inspect the traffic with Wireshark? – Michael-O Aug 08 '12 at 18:20
  • Yes, I did try all that it gave me error message "Operations Error 500". I posted the above to get a opinion on what are my options. Whether someone was able to get it working with GSSAPI. If so, then I will dive into specifics like error message. – Prashanth Sundaram Aug 09 '12 at 16:21
  • Did you inspect the traffic with Wireshark? I have not tried that constellation recently but I am highly interested in GSS-API based auth for Subversion. – Michael-O Aug 09 '12 at 19:42
  • Seems likes a [PITA](http://svn.haxx.se/users/archive-2008-09/0180.shtml). Eventhough it may work on Unix/Linux, SASL has no support for SSPI which makes it unusable. I would not resort to MIT Kerberos on Windows. The only option is Apache with `mod_auth_kerb`. – Michael-O Aug 09 '12 at 19:58
  • The mod_auth_kerb still requires the password to be saved locally instead of using kerberos ticket validity. I used wireshark but went nowhere. I will post the detail write up as edit. – Prashanth Sundaram Aug 09 '12 at 20:11
  • What password???. Server and client exchange tickets only. – Michael-O Aug 09 '12 at 20:12

0 Answers0