On 2010-07-26 14:30, Victor Sudakov wrote:
> Daniel Shahaf wrote:
> > > > >
> > > > > I have the following line in /usr/local/lib/sasl2/svn.conf:
> > > > > mech_list: gssapi digest-md5 anonymous
> > > > >
> > > > > How can I guarantee that the subversion client/server will always use
> > > > > GSSAPI before DIGEST-MD5? Or a more generic question, how can I change
> > > > > the order of mechanisms if I have to?
> > > > >
> > > >
> > > > Looking at subversion/libsvn_ra_svn/{client.c,cyrus_auth.c}, it seems
> > > > that the
> > > > following order is used:
> > > >
> > > > * EXTERNAL (i.e., ssh tunnel)
> > > > * ANONYMOUS
> > > > * ${server-reported mechanisms, in the order suggested by the server}
> > > > * CRAM-MD5 (used via internal_auth.c even if SASL doesn't support it)
> > > >
> > > > I don't see a knob that lets you manipulate the order.
> > >
> > > Then how can I manipulate "the order suggested by the server"? The
> > > server is svnserve.
> > >
> >
> > Looking in subversion/svnserve/cyrus_auth.c, the list of mechansms is
> > obtained
> > directly from SASL:
>
> [dd]
>
> >
> > so you'd have to look up in the SASL docs how to configure the ordering of
> > mechanisms. (I don't know offhand how to configure that.)
>
> I was unable to find this in the SASL docs. It only says that
> mech_list is a "Whitespace separated list of mechanisms to allow (e.g.
> 'plain otp'). Used to restrict the mechanisms to a subset of the
> installed plugins."
>
> While googling I found even such statements as
> http://www.techienuggets.com/CommentDetail?tx=188636
>
> --
> Victor Sudakov, VAS4-RIPE, VAS47-RIPN
> sip:[email protected]
> As far as I can tell (and as amazing as this sounds), the order of the offered mechanisms from Cyrus sasl is, by default, the reverse of the order that the library finds them. This would be, in effect, the reverse physical directory order of the modules in /usr/[local]/lib/sasl2/ which you can find with ls -U. I've confirmed this by making copies and deletes of the .so files in that directory to rearrange the ordering. The list is reversed from the order they're found in because mechanism list is a linked list and new entries are prepened (around server.c:392). As the link your provided mentions, Cyrus SASL believes it's the client that should select the preferred mechanism from the list offered by the server, not just the first one. -- [email protected] The views expressed are my own and do not necessarily reflect the views of Oracle. PGP key at http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xEBD1FF14
pgpza8fWuT7Mj.pgp
Description: PGP signature
