Scripts SVN should support GSSAPI

[broder]

Scripts should be running svn 1.5 and have support for SASL/GSSAPI auth to svn repos.

I have no idea if this will work at all with *.scripts or vhosts. You should figure out how to make that work.

[mitchb]

Well, we've been running svn 1.6 for quite some time now, so that part's done. 8-) You can kind of get GSSAPI auth by actually doing SPNEGO through Apache, but we still haven't made it nice or easy for your average user. We did find that

curl -k --negotiate -u : URL

works for SPNEGO against servers supporting it, so maybe we could make use of that, but it still requires client-side work.

[broder]

I'm...really confused about where SPNEGO and Apache fit in here...

I want to see scripts support GSSAPI over svnserve as an authentication mechanism for ​svn:// repositories. I don't really care about svn over http.

I think the only concern here is whether or not svn's SASL code does the forward/reverse DNS resolution dance [*].

To test this, I think that all you need to do is install saslauthd and create an /etc/sasl2/svn.conf with

mech_list: gssapi

Then when you run svnserve, set KRB5_KTNAME to a keytab containing a svn/scripts-vhosts.mit.edu key.

[*] Authentication negotiation doesn't actually happen until after the client has provided a URL, so if you were willing to acquire an infinite number of keytabs, even this wouldn't be a problem

[andersk]

I’m not sure why Mitch is so focused on the Apache solution, given that we currently have neither servers nor (AFAWK) clients for it, and at least the server side is Hard.

What I’m concerned about is keeping things secure given that svnserve is running as the user. If the svnserve needs to have permission to read the keytab, that’s a problem; if saslauthd handles all that, we’re probably okay.

[adehnert]

In practice, AFAICT, most people don't care about SVN these days, so decreasing the priority (cause we totally pay attention to priority (or the Trac period...)).