Opened 13 years ago

Last modified 10 years ago

#79 new enhancement

Scripts SVN should support GSSAPI

Reported by: broder Owned by: geofft
Priority: minor Milestone:
Component: vcs Keywords:
Cc:

Description

Scripts should be running svn 1.5 and have support for SASL/GSSAPI auth to svn repos.

I have no idea if this will work at all with *.scripts or vhosts. You should figure out how to make that work.

Change History (5)

comment:1 Changed 11 years ago by mitchb

Well, we've been running svn 1.6 for quite some time now, so that part's done. 8-) You can kind of get GSSAPI auth by actually doing SPNEGO through Apache, but we still haven't made it nice or easy for your average user. We did find that

curl -k --negotiate -u : URL

works for SPNEGO against servers supporting it, so maybe we could make use of that, but it still requires client-side work.

comment:2 Changed 11 years ago by broder

I'm...really confused about where SPNEGO and Apache fit in here...

I want to see scripts support GSSAPI over svnserve as an authentication mechanism for svn:// repositories. I don't really care about svn over http.

I think the only concern here is whether or not svn's SASL code does the forward/reverse DNS resolution dance [*].

To test this, I think that all you need to do is install saslauthd and create an /etc/sasl2/svn.conf with

mech_list: gssapi

Then when you run svnserve, set KRB5_KTNAME to a keytab containing a svn/scripts-vhosts.mit.edu key.

[*] Authentication negotiation doesn't actually happen until after the client has provided a URL, so if you were willing to acquire an infinite number of keytabs, even this wouldn't be a problem

comment:3 Changed 11 years ago by andersk

I’m not sure why Mitch is so focused on the Apache solution, given that we currently have neither servers nor (AFAWK) clients for it, and at least the server side is Hard.

What I’m concerned about is keeping things secure given that svnserve is running as the user. If the svnserve needs to have permission to read the keytab, that’s a problem; if saslauthd handles all that, we’re probably okay.

comment:4 Changed 10 years ago by adehnert

  • Priority changed from major to minor

In practice, AFAICT, most people don't care about SVN these days, so decreasing the priority (cause we totally pay attention to priority (or the Trac period...)).

comment:5 Changed 10 years ago by ezyang

  • Type changed from defect to enhancement
Note: See TracTickets for help on using tickets.