Clarification on SASL encryption

[Michael-O]

Hi folks,

after configuring another server with svnserve over xinetd. I still do 
not completely understand the chapter on SASL encryption in the 
subversion manual.


It says that SASL can do encryption for me. There are two options to 
configure SASL, one is saslauthd with handles authentication in plain 
text. This means that only Kerberos can be used securely. This option is 
not available for me anyway.
The other one is the auxprop with sasldb. This is what I did. I chose 
DIGEST-MD5 for a shared secret mechnism. In this case the authentication 
can be plain text because no password is exchanged and the 
authentication procedure is secure.
Does this mean that the svnserve.conf's min|max-encryption do a full 
/transport/ encryption?


This point is not made clear enough in the manual. At no point there is 
stated what is actually configured: authentication or transport encryption.


In terms of HTTP, the authentication happens inside the tunnel, so both 
is done. With Kerberos I can have authentication and transport optional.


Thanks,

Mike

Re: Proxy authentication with Negotiate uses wrong host

[Michael-O]

Stefan Sperling schrieb:
> On Mon, Aug 22, 2011 at 01:41:59PM +0200, 1983-01...@gmx.net wrote:
>> no, I did not set that value neither on Windows nor on FreeBSD. 
Using Negotiate does require setting a username. That's what the 
credentials cache is for.

>
> You expect svn to get the proxy username from the ~/.subversion/auth
> cache?  That expection is not unreasonable, but it is not what the
> implementation does, as far as I undestand (see
> subversion/libsvn_ra_neon/session.c).

Stefan,

any news on this?

I made some digging in the subversion and neon code and notices some 
interesting and odd stuff.


If you take a look at the aforementioned session.c in line 865 [1] 
you'll see that the code is correct, Negotiate auth is added if no 
proxy_username is set. So my assumption was correct. It should work 
out-of-the box.


Digging deeper into that file shows that Negotiate auth for servers (not 
proxy servers) is done only when the server is servered with HTTPS [2]. 
I took a look back at neon_auth.h (define NE_AUTH_NEGOTIATE) [3] and it 
constantly says that Digest and Negotiate are unsecure and require a 
secure connection which is complete non-sense. Kerberos was designed to 
provide security in unsecure networks. This is definitively wrong 
documentation.


What do you say?

Mike

[1] 
http://svn.apache.org/viewvc/subversion/tags/1.6.17/subversion/libsvn_ra_neon/session.c?view=markup#l865
[2] 
http://svn.apache.org/viewvc/subversion/tags/1.6.17/subversion/libsvn_ra_neon/session.c?view=markup#l852

[3] http://svn.webdav.org/repos/projects/neon/tags/0.29.6/src/ne_auth.h