ReasonI thought that I will not have to write this post, but i took much time. I just hope it will help other people to save some time. I stuck for few hours by preparing of this and at the end I discovered that's not possible what I exactly want - encrypt password when they are sent over network. About this at bottom of this article. Now how to get SASL working:
Configuration:Assuming that you have already SVN installed on your system.
This configuration could be applied also for Debian derivates like Ubuntu.
# apt-get install libsasl2-2 libsasl2-modules sasl2-bin
# vim /etc/default/saslauthd START=yes
Create new repository:
# cd /var/svn # svnadmin create myrepo # vim myrepo/conf/svnserve.conf # insert configuration of repository [general] anon-access = none #we don't want to allow public access auth-access = write #only authorized users realm = realmname [sasl] use-sasl = true min-encryption = 256 max-encryption = 256
Configure SASL with basic settings:
# vim /usr/lib/sasl2/svn.conf pwcheck_method: auxprop auxprop_plugin: sasldb sasldb_path: /etc/svn/sasldb mech_list: DIGEST-MD5
Create users using saslpasswd2 tool (issue command as many times as much users you need):
# saslpasswd2 -f
-c -u realmname username
Start SASL daemon and restart svnserve:
# /etc/init.d/svnserve restart
# /etc/init.d/saslauthd start
Common problems:When connecting to SVN server client respond this error message
svn: Could not obtain the list of SASL mechanisms
Most common reason of this is missing libsasl2. To resolve this problem you must have this library installed on both system - client and server too. If you are installing SVN from sources then do not forget to:
# ./configure –with-sasl
Another issue which I mentioned at the beginning - keep encrypted password when they are sent over network. This simply not possible in this configuration. This is known issue because svn:// protocol doesn't support TLS yet. More on this: https://svn.apache.org/repos/asf/subversion/trunk/notes/sasl.txt - section 7. To keep password secure you will have to add another layer between svnserve and its clients like VPN or tunnel - for example stunnel (http://www.stunnel.org/index.html). SASL covers only password storage encryption. Another option is deploy ssh tunnel which is most easiest way. Impressive choice is apache + dav + svn + ssl modules which is more complex. But in both cases (ssh or apache) users will be not controlled by svnserve. For ssh you will have to create system users, custom file permissions and for apache are many options.
Here are sources which used:http://serverfault.com/questions/226586/subversion-1-6-sasl-only-works-with-plaintext-userpassword
Post a Comment