Subversion 1.6 + SASL : Only works with plaintext 'userPassword'?
I'm attempting to setup svnserve
with SASL support on my Slackware 13.1 server and after some trial and error I'm able to get it to work with the configuration listed below:
svnserve.conf
[general]
anon-access = read
auth-access = write
realm = myrepo
[sasl]
use-sasl = true
min-encryption = 128
max-encryption = 256
/etc/sasl2/svn.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /etc/sasl2/my_sasldb
mech_list: DIGEST-MD5
sasldb users
$ sasldblistusers2 -f /etc/sasl2/my_sasldb
test@myrepo: cmusaslsecretOTP
test@myrepo: userPassword
You'll notice that the output of sasldblistusers2
shows my test user as having both an encrypted cmusaslsecretOTP password as well as a plain text userPassword passwd. i.e., if I were to run strings /etc/sasl2/my_sasldb
I would see the test users' password in plaintext. These two password entries were created with the following subversion book recommended command:
saslpasswd2 -c -f /etc/sasl2/my_sasldb -u myrepo test
After reading man saslpasswd2
I see the following option:
-n Don't set the plaintext userPassword property for the user. Only mechanism-specific secrets will be set (e.g. OTP, SRP)
This is exactly what I want to do, suppress the plain text password and only use the mechanism-specific secret (OTP in my case). So I clear out /etc/sasl2/my_sasldb
and rerun saslpasswd2
as:
saslpasswd2 -n -c -f /etc/sasl2/my_sasldb -u myrepo test
I then follow it up with a sasldblistusers2
and I see:
$ sasldblistusers2 -f /etc/sasl2/my_sasldb
test@myrepo: cmusaslsecretOTP
Perfect! I think, now I have only encrypted passwords.... only neither the Linux svn
client nor the Windows TortoiseSVN
client can connect to my repo anymore. They both present me with the user/pass challenge but that's as far as I get.
TLDR
So, what is the point of SVN supporting SASL if my sasldb must store its passwords in plaintext to work?
Solution 1:
This is hardly an answer but I'd like to point out that there are some sources that say explicitely that DIGEST-MD5 does not (and will never) support hashed passwords because it needs the plaintext password to do the challenge/response, like:
- http://cyrusimap.org/docs/cyrus-sasl/2.1.25/sysadmin.php
- http://www.openldap.org/doc/admin24/sasl.html#DIGEST-MD5
Other sources say otherwise:
- OpenLDAP, SASL and non-cleartext password storage
- SASL + postfixadmin - SMTP authentication with hashed password