SVN uses SASL Encryption

Use SASL authentication to encrypt the password file

Note: SASL authentication for svnserve in Linux can solve this problem. SASL authentication is installed in Versions later than subversion1.5 by default to solve the problem that passwd for svnserve password files is plaintext, generate a sasl-authenticated Password File sasldb.

Steps:

1. modify the content of svnserve. conf in the conf/SVN library.

[General]

Anon-access = none

Auth-access = write

Authz-DB = authz

Realm = svnjiami

[SASL]

Use-sasl = true

Min-encryption = 128

Max-encryption = 256

Note: # The password-DB = passwd line is commented out without using the passwd file. The Min-encryption and max-encryption variables control the encryption strength required by the server. To completely disable encryption, set the values of these two variables to 0. To enable simple data verification (for example, to prevent tampering and ensure data integrity without encryption), set these two values to 1. If you want to allow (but not force) encryption, set the minimum value to 0 and the maximum value to any number of digits. To force encryption, set these two values to numbers greater than 1. In the previous example, we asked the client to encrypt at least 128 bits, but not more than 256 bits.

2. Create a SVN. conf file, which is usually stored in/usr/lib/sasl2 or/etc/sasl2. The content is as follows:

Pwcheck_method: auxprop

Auxprop_plugin: sasldb

Sasldb_path:/home/SVN/svnjiami/sasldb

Mech_list: DIGEST-MD5

Note: pwcheck_method indicates the check method, which is "auxprop". This pwcheck_method also corresponds to the method such as starting a proxy as the authentication service, now it means to use the method described in this document to check. Then we specify auxprop_plugin as sasldb, that is, to use a file to store the user name and password, that is,/home/SVN/svnjiami/sasldb. Other authentication information is stored in plugin, as well as SQL and ldapdb. Mech_list specifies the authentication information transmission mechanism.

3. If svnserve is already running, restart the service and make sure it reads the updated configuration parameters.

Killall svnserve // stop the svnserve Service

Svnserve-d-r/home/SVN // start the svnserve Service

4. Now everything has been set up. All you need to do is create a user and a password. You need saslpasswd2ProgramTo do this.

Saslpasswd2-C-f/home/SVN/jiami/sasldb-U [svnserve. the realm name configured in conf] [username]-P <PW // creates a user. You can modify the user password. Pw is the password file, which stores the user password.

Saslpasswd2-D-f/home/SVN/jiami/sasldb-u

 

[Realm name configured in svnserve. conf] [username]

// Delete a user

Sasldblistusers2-f/home/SVN/jiami/sasldb // query users

PS: if the following prompt "cocould not obtain the list of SASL mechanisms" appears when accessing the library, the reason is that the DIGEST-MD5 is not installed by default in Linux, at this time, you can install updates with the following command: yum install cyrus-sasl-md5, cyrus-sasl-md5 home: http://asg.web.cmu.edu/sasl/, installation package: ftp://ftp.andrew.cmu.edu/pub/cyrus/

 

Bytes --------------------------------------------------------------------------------------------

SVN checkout: SVN: cannot negotiate authentication mechanic

you may receive an error similar to the one below stating that SVN cannot negotiate the authentication mechanic during initial installation of subversion. I Have ed the below error when I was testing a new SVN repository I had set up on a centos Linux server and was attempting to checkout the repo from another centos Linux server. below I describe basic configuration and what was done to move pas this error.

Error:
SVN: cannot negotiate authentication mechanic

I figured it had something to do with the server doing the checkout since I was able to SVN checkout from another Linux server already. I wanted to make sure that the traffic was encrypted so the configuration was as follows.

SVN Server:Svnserver. conf

[General] # anon-access = readauth-access = writerealm = testrealm [SASL] use-sasl = truemin-encryption = 128max-encryption = 256
 

As you can see the svnserve. conf is very basic. It only allows authorized access and the authentication is done via SASL with a minimum of 128-bit encryption.

SVN Server:Sasl svn. conf

 
Pwcheck_method: auxpropauxprop_plugin: sasldbsasldb_path:/etc/sasldb2mech_list: DIGEST-MD5
 

The above shows that SASL is using MD5 encryption and authenticates against the sasldb2 database located in the/etc directory.

On the Linux client I was attempting to checkout the testrealm repository too I had just installed subversion so I checked to see if any SASL packages had been installed. they had not so I simply installed the cyrus-sasl-md5 package via Yum using the below syntax.

Linux client:Install cyrus-sasl-md5

Yum install cyrus-sasl-md5
 

This resolved the issue and I was now able to checkout the repository as a foundation for the development storm that was about to begin. so if you get an authentication error make sure that you have verified all of the necessary packages have been installed via yum.

Winodws client:Modify registry