Translate

24 March 2013

SVN server with SASL on Debian

Reason

I thought that I will not have to write this post, but i took much time. I just hope it will help other people  to save some time. I stuck for few hours by preparing of this and at the end I discovered that's not possible what I exactly want - encrypt password when they are sent over network. About this at bottom of this article. Now how to get SASL working:

Configuration:

Assuming that you have already SVN installed on your system.
This configuration could be applied also for Debian derivates like Ubuntu.

 # apt-get install libsasl2-2 libsasl2-modules sasl2-bin 

Enable SASL:
 # vim /etc/default/saslauthd
 START=yes

Create new repository:
 # cd /var/svn
 # svnadmin create myrepo
 # vim myrepo/conf/svnserve.conf
        # insert configuration of repository
        [general]
        anon-access = none #we don't want to allow public access
        auth-access = write #only authorized users
        realm = realmname
        [sasl]
        use-sasl = true
        min-encryption = 256
        max-encryption = 256

Configure SASL with basic settings:
 # vim /usr/lib/sasl2/svn.conf
        pwcheck_method: auxprop
        auxprop_plugin: sasldb
        sasldb_path: /etc/svn/sasldb
        mech_list: DIGEST-MD5

Create users using saslpasswd2 tool (issue command as many times as much users you need):
 # saslpasswd2 -f /etc/svn/sasldb -c -u realmname username


Start SASL daemon and restart svnserve:
 # /etc/init.d/svnserve restart # /etc/init.d/saslauthd start


Common problems:

When connecting to SVN server client respond this error message

  svn: Could not obtain the list of SASL mechanisms  

Most common reason of this is missing libsasl2. To resolve this problem you must have this library installed on both system - client and server too. If you are installing SVN from sources then do not forget to:

 # ./configure –with-sasl

Another issue which I mentioned at the beginning - keep encrypted password when they are sent over network. This simply not possible in this configuration. This is known issue because svn:// protocol doesn't support TLS yet. More on this: https://svn.apache.org/repos/asf/subversion/trunk/notes/sasl.txt - section 7. To keep password secure you will have to add another layer between svnserve and its clients like VPN or tunnel - for example stunnel (http://www.stunnel.org/index.html). SASL covers only password storage encryption. Another option is deploy ssh tunnel which is most easiest way. Impressive choice is apache + dav + svn + ssl modules which is more complex. But in both cases (ssh or apache) users will be not controlled by svnserve. For ssh you will have to create system users, custom file permissions and for apache are many options.

Here are sources which used:

http://serverfault.com/questions/226586/subversion-1-6-sasl-only-works-with-plaintext-userpassword
http://www.dm9.se/?p=518
https://svn.apache.org/repos/asf/subversion/trunk/notes/sasl.txt