SVN uses SASL Encryption

Source: Internet
Author: User

Use SASL authentication to encrypt the password file

Note: SASL authentication for svnserve in Linux can solve this problem. SASL authentication is installed in Versions later than subversion1.5 by default to solve the problem that passwd for svnserve password files is plaintext, generate a sasl-authenticated Password File sasldb.

Steps:

1. modify the content of svnserve. conf in the conf/SVN library.

[General]

Anon-access = none

Auth-access = write

Authz-DB = authz

Realm = svnjiami

[SASL]

Use-sasl = true

Min-encryption = 128

Max-encryption = 256

Note: # The password-DB = passwd line is commented out without using the passwd file. The Min-encryption and max-encryption variables control the encryption strength required by the server. To completely disable encryption, set the values of these two variables to 0. To enable simple data verification (for example, to prevent tampering and ensure data integrity without encryption), set these two values to 1. If you want to allow (but not force) encryption, set the minimum value to 0 and the maximum value to any number of digits. To force encryption, set these two values to numbers greater than 1. In the previous example, we asked the client to encrypt at least 128 bits, but not more than 256 bits.

2. Create a SVN. conf file, which is usually stored in/usr/lib/sasl2 or/etc/sasl2. The content is as follows:

Pwcheck_method: auxprop

Auxprop_plugin: sasldb

Sasldb_path:/home/SVN/svnjiami/sasldb

Mech_list: DIGEST-MD5

Note: pwcheck_method indicates the check method, which is "auxprop". This pwcheck_method also corresponds to the method such as starting a proxy as the authentication service, now it means to use the method described in this document to check. Then we specify auxprop_plugin as sasldb, that is, to use a file to store the user name and password, that is,/home/SVN/svnjiami/sasldb. Other authentication information is stored in plugin, as well as SQL and ldapdb. Mech_list specifies the authentication information transmission mechanism.

3. If svnserve is already running, restart the service and make sure it reads the updated configuration parameters.

Killall svnserve // stop the svnserve Service

Svnserve-d-r/home/SVN // start the svnserve Service

4. Now everything has been set up. All you need to do is create a user and a password. You need saslpasswd2ProgramTo do this.

Saslpasswd2-C-f/home/SVN/jiami/sasldb-U [svnserve. the realm name configured in conf] [username]-P <PW // creates a user. You can modify the user password. Pw is the password file, which stores the user password.

Saslpasswd2-D-f/home/SVN/jiami/sasldb-u

 

[Realm name configured in svnserve. conf] [username]

// Delete a user

Sasldblistusers2-f/home/SVN/jiami/sasldb // query users

PS: if the following prompt "cocould not obtain the list of SASL mechanisms" appears when accessing the library, the reason is that the DIGEST-MD5 is not installed by default in Linux, at this time, you can install updates with the following command: yum install cyrus-sasl-md5, cyrus-sasl-md5 home: http://asg.web.cmu.edu/sasl/, installation package: ftp://ftp.andrew.cmu.edu/pub/cyrus/

 

Bytes --------------------------------------------------------------------------------------------

SVN checkout: SVN: cannot negotiate authentication mechanic

you may receive an error similar to the one below stating that SVN cannot negotiate the authentication mechanic during initial installation of subversion. I Have ed the below error when I was testing a new SVN repository I had set up on a centos Linux server and was attempting to checkout the repo from another centos Linux server. below I describe basic configuration and what was done to move pas this error.

Error:
SVN: cannot negotiate authentication mechanic

I figured it had something to do with the server doing the checkout since I was able to SVN checkout from another Linux server already. I wanted to make sure that the traffic was encrypted so the configuration was as follows.

SVN Server:Svnserver. conf

[General] # anon-access = readauth-access = writerealm = testrealm [SASL] use-sasl = truemin-encryption = 128max-encryption = 256

As you can see the svnserve. conf is very basic. It only allows authorized access and the authentication is done via SASL with a minimum of 128-bit encryption.

SVN Server:Sasl svn. conf

 
Pwcheck_method: auxpropauxprop_plugin: sasldbsasldb_path:/etc/sasldb2mech_list: DIGEST-MD5

The above shows that SASL is using MD5 encryption and authenticates against the sasldb2 database located in the/etc directory.

On the Linux client I was attempting to checkout the testrealm repository too I had just installed subversion so I checked to see if any SASL packages had been installed. they had not so I simply installed the cyrus-sasl-md5 package via Yum using the below syntax.

Linux client:Install cyrus-sasl-md5

Yum install cyrus-sasl-md5

This resolved the issue and I was now able to checkout the repository as a foundation for the development storm that was about to begin. so if you get an authentication error make sure that you have verified all of the necessary packages have been installed via yum.

Winodws client:Modify registry

 

 

 

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.