Hello,
I have seen a lot of threads in the archives but none seem to have solved the
issues or apply to my current requirement. I did extensive search before
writing here.
We currently use the auth_ldap with apache for authentication and due to
security compliance we have to change the auth for SVN. The requirement is
pretty simple: Users cannot save password unencrypted locally on clients. Of
course, the password can be set to encrypt by individual users by editing the
''servers'' file but due to size of the firm, we cannot monitor this and be
sure that they are doing it.
The repo must be accessible via HTTPS for different servers and support Windows
and Unix clients. I am hosting repo on a RHEL6.2 host via Apache and use
SASL-GSSAPI to authenticate via Kerberos.(Server 2008 R2).
Subversion -version=1.6.11
I have been struggling to get SASL + GSSAPI to work and wanted to get some help
with same.
==== /etc/httpd/conf.d/svn..conf =====
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
LoadModule auth_kerb_module modules/mod_auth_kerb.so
<VirtualHost 10.10.1.166:80>
Redirect / https://svn-dr.laurion.corp
</VirtualHost>
<VirtualHost 10.10.1.166:443>
ServerName svn-dr.domain.corp
ErrorLog /var/log/httpd/error.log
LogLevel debug
CustomLog /var/log/httpd/access.log combined
ServerSignature On
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<Location />
DAV svn
SVNPath /proj/svn/svn.domain.corp
AuthName "Active Directory Login"
AuthType Kerberos
Krb5Keytab /etc/krb5.keytab
KrbAuthRealm DOMAIN.CORP
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbSaveCredentials off
KrbVerifyKDC Off
Require valid-user
SSLRequireSSL
#Kerberos Authentication
#AuthType Kerberos
#AuthName "Kerberos v5 Login"
#Krb5AuthToLocal on
#Krb5Keytab /etc/krb5.keytab
# Disallow anonymous access
require valid-user
</Location>
</VirtualHost>
===== /etc/sasl2/svn.conf =====
mech_list: gssapi
keytab: /etc/krb5.keytab
==== /etc/krb5.keytab ====
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 08/07/12 12:29:07 HTTP/[email protected] (des-cbc-crc)
3 08/07/12 12:29:07 HTTP/[email protected] (des-cbc-md5)
3 08/07/12 12:29:07 HTTP/[email protected] (arcfour-hmac)
3 08/07/12 12:29:07 HTTP/[email protected]
(aes256-cts-hmac-sha1-96)
3 08/07/12 12:29:07 HTTP/[email protected]
(aes128-cts-hmac-sha1-96)
5 08/07/12 12:29:07 HTTP/[email protected] (des-cbc-crc)
5 08/07/12 12:29:07 HTTP/[email protected] (des-cbc-md5)
5 08/07/12 12:29:08 HTTP/[email protected] (arcfour-hmac)
5 08/07/12 12:29:08 HTTP/[email protected]
(aes256-cts-hmac-sha1-96)
5 08/07/12 12:29:08 HTTP/[email protected]
(aes128-cts-hmac-sha1-96)
7 08/07/12 12:29:08 svn/[email protected] (des-cbc-crc)
7 08/07/12 12:29:08 svn/[email protected] (des-cbc-md5)
7 08/07/12 12:29:08 svn/[email protected] (arcfour-hmac)
7 08/07/12 12:29:08 svn/[email protected]
(aes256-cts-hmac-sha1-96)
7 08/07/12 12:29:08 svn/[email protected]
(aes128-cts-hmac-sha1-96)
8 08/07/12 12:29:08 svn/[email protected] (des-cbc-crc)
8 08/07/12 12:29:08 svn/[email protected] (des-cbc-md5)
8 08/07/12 12:29:09 svn/[email protected] (arcfour-hmac)
8 08/07/12 12:29:09 svn/[email protected]
(aes256-cts-hmac-sha1-96)
8 08/07/12 12:29:09 svn/[email protected]
(aes128-cts-hmac-sha1-96)
===== /proj/svn/svn.domain.corp/conf/svnserv.conf =====
[general]
anon-access = none
auth-access = write
authz-db = authz
realm = LAURION.CORP
[sasl]
use-sasl = true
min-encryption = 0
max-encryption = 56
Thanks,
Prashanth
________________________________
Confidentiality Notice from Laurion Capital Management LP:
The information in this message, including any attachment, is confidential and
intended for use only by the designated recipient(s) named above. It is the
property of Laurion Capital Management LP or its affiliates. If you are not the
intended recipient, please return the message to the sender and delete all
copies of it, including attachments, from your computer. Unauthorized use,
disclosure, dissemination or copying of this message or any part hereof is
strictly prohibited. This message is for information purposes only. The
information expressed herein may be changed at any time without notice or
obligation to update.
No warranty is made as to the completeness or accuracy of the information
contained in this communication. Any views or opinions presented are those of
only the author and do not necessarily represent those of Laurion Capital
Management LP or its related entities. This communication is for information
purposes only and should not be regarded as an offer, solicitation or
recommendation to sell or purchase any security or other financial product.
Email transmission cannot be guaranteed to be secure, virus-free or error-free.
Therefore, we do not represent that this message is virus-free, complete or
accurate and it should not be relied upon as such. Laurion Capital Management
LP and its affiliates accept no liability for any damage sustained in
connection with the content or transmission of this message.
Laurion Capital Management LP and its related entities reserve the right to
monitor all e-mail communications through their networks.
