Svnserve authentication with SASL and normal user accounts
Is it possible to set up svnserve so that it authenticates using the system's users and passwords (e.g. using the /etc/shadow file)? I assume this would be with SASL, but I couldn't find an SASL configuration that worked this way.
I have a Subversion server running under Apache, but it's very slow. Using svnserve is quite a bit faster in some cases, so I'd like to switch to that. The svn+ssh method seems like it will be complicated for users, who would need to set up private/public keys.
Solution 1:
I haven't followed this guide, so I don't know if it's up to date and accurate, but here goes:
Authenticating with SASL
Also, you don't need to use private/public keys (unless you have a corporate policy or something) to do authentication with SVN. You can just use the built-in password prompt of the svn client and use the option to cache the password if you don't want to enter it every time.
Additionally, you may want to investigate why Apache seems slow. I've found over the years that SVN+Apache gives you the most flexibility and robustness. I can't imagine moving from svn+apache to svnserve.
Solution 2:
I investigated this option a little bit:
From the side of SASL, you can use the PLAIN mechanism to authenticate against system accounts. The best option is probably PAM and saslauthd
. But "shared secret" mechanisms are not possible (unless your system account password are stored in clear).
From the side of Subversion, the SASL notes of 1.6.4 list under the "Known Issues" that they outright disable the PLAIN mechanism in both ra_svn and svnserve because it sends password in clear text. In the notes of 1.6.5 they lifted this restriction and explain that you should take care to protect your network communication. They probably made this change because they are aware that it is needed to use saslauthd
:
In particular, this problem affects users using the saslauthd daemon to authenticate users, because that method (=PLAIN) only works with plain text passwords.
So in conclusion, I think you can get it working, but only for a very limited number of configuration: client and server must have Subversion 1.6.5 or higher with SASL compiled in.