Svnserve authentication with SASL and normal user accounts

svn sasl

Is it possible to set up svnserve so that it authenticates using the system's users and passwords (e.g. using the /etc/shadow file)? I assume this would be with SASL, but I couldn't find an SASL configuration that worked this way.

I have a Subversion server running under Apache, but it's very slow. Using svnserve is quite a bit faster in some cases, so I'd like to switch to that. The svn+ssh method seems like it will be complicated for users, who would need to set up private/public keys.


Solution 1:

I haven't followed this guide, so I don't know if it's up to date and accurate, but here goes:

Authenticating with SASL

Also, you don't need to use private/public keys (unless you have a corporate policy or something) to do authentication with SVN. You can just use the built-in password prompt of the svn client and use the option to cache the password if you don't want to enter it every time.

Additionally, you may want to investigate why Apache seems slow. I've found over the years that SVN+Apache gives you the most flexibility and robustness. I can't imagine moving from svn+apache to svnserve.

Solution 2:

I investigated this option a little bit:

From the side of SASL, you can use the PLAIN mechanism to authenticate against system accounts. The best option is probably PAM and saslauthd. But "shared secret" mechanisms are not possible (unless your system account password are stored in clear).

From the side of Subversion, the SASL notes of 1.6.4 list under the "Known Issues" that they outright disable the PLAIN mechanism in both ra_svn and svnserve because it sends password in clear text. In the notes of 1.6.5 they lifted this restriction and explain that you should take care to protect your network communication. They probably made this change because they are aware that it is needed to use saslauthd:

In particular, this problem affects users using the saslauthd daemon to authenticate users, because that method (=PLAIN) only works with plain text passwords.

So in conclusion, I think you can get it working, but only for a very limited number of configuration: client and server must have Subversion 1.6.5 or higher with SASL compiled in.

Related

How would you build a cheap Virtual Server farm for home development? [closed]
How do I create a virtual IP address?
How to select the best Stripe Size when configuring a RAID Array
How can I activate ssh-agent confirmation in MacOSX Leopard?
Jetty - Virtualhosting - SSL Certificates
Two network adapters on Ubuntu Server 9.10 - Can't have both working at once?
How much memory will a Windows file-server be able to use effectively
Moving C:\Users to another partition on Windows Server 2008 Standard
Can a password change in Active Directory be reverted?
What is the cheapest non-colocation way to serve about 10 static files at a rate of 100 megabits per second to the web? [closed]
Google Apps, SPF, softfail problem (validates with validation tools, but still softfails otherwise)
How to configure traffic from a specific IP hardcoded to an IP to forward to another IP:PORT using iptables?