SVN使用SASL加密

使用sasl認證加密密碼檔案

說明：Linux下使用svnserve的SASL認證能解決這個問題，subversion1.5以上的版本預設裝了sasl認證，解決svnserve密碼檔案passwd是明文的問題，產生一個sasl認證的密碼檔案sasldb。

步驟：

1、修改Svn庫下conf/的svnserve.conf內容

[general]

anon-access = none

auth-access = write

authz-db = authz

realm = svnjiami

[sasl]

use-sasl = true

min-encryption = 128

max-encryption = 256

注釋：# password-db = passwd這行保持注釋掉的狀態，不使用passwd檔案。變數 min-encryption 和 max-encryption 控制伺服器所需要的加密強度。要完全禁用加密，就將這 2 個變數的值都設為 0。要啟用簡單的資料校正(例如，為了防止篡改和保證資料的完整，不加密)，就將這 2 個值都設為 1。如果你想允許(但不強制)加密，將最小值設為 0，最大值設為任意位元。要強制加密，將這 2 個值設為大於 1 的數字。在前面的例子中，我們要求用戶端至少進行 128 位加密，但是不大於 256 位加密。

2、建立一個svn.conf檔案，一般放在/usr/Lib/sasl2或者/etc/sasl2，內容如下：

pwcheck_method: auxprop

auxprop_plugin: sasldb

sasldb_path: /home/svn/svnjiami/sasldb

mech_list: DIGEST-MD5

注釋：pwcheck_method指明檢查的方法，這裡是“auxprop ”，這個pwcheck_method還對應了如啟動一個代理作為認證服務等方式，而現在的意思就是使用本檔案說的方式去檢查。然後我們指明auxprop_plugin為sasldb，也就是使用一個檔案存放使用者名稱密碼，也就是/home/svn/svnjiami/sasldb,其它的認證資訊存放plugin還有sql和ldapdb。而mech_list指明了認證資訊傳遞機制。

3、如果 svnserve 已經在運行，你需要重啟服務，並確保它讀取了更新後的配置參數。

killall svnserve //停止svnserve服務

svnserve –d –r /home/svn //啟動svnserve服務

4、現在所有的東西已經設定完成，你要做的事情就是建立使用者和密碼。你需要 saslpasswd2 程式來做這件事。

saslpasswd2 –c –f /home/svn/jiami/sasldb –u [svnserve.conf裡面配置的realm名字] [username] -p <pw //建立使用者，可修改使用者使用者口令，pw是密碼檔案，裡邊儲存了使用者密碼

saslpasswd2 -d -f /home/svn/jiami/sasldb -u

 

[svnserve.conf裡面配置的realm名字] [username]

//刪除使用者

sasldblistusers2 –f /home/svn/jiami/sasldb //查詢使用者

PS：如果訪問庫的時候出現以下提示 "Could not obtain the list of SASL mechanisms"，原因是Linux預設沒有安裝DIGEST-MD5，此時，可用以下命令安裝更新：yum install cyrus-sasl-md5 , cyrus-sasl-md5首頁: http://asg.web.cmu.edu/sasl/, 安裝包:ftp://ftp.andrew.cmu.edu/pub/cyrus/

 

-------------------------------------------------------------------------------------------- 

SVN Checkout: svn: Cannot negotiate authentication mechanism

You may receive an error similar to the one below stating that SVN cannot negotiate the authentication mechanism during initial installation of Subversion. I received the below error when I was testing a new SVN repository I had set up on a CentOS Linux server and was attempting to checkout the repo from another CentOS Linux server. Below I describe basic configuration and what was done to move pas this error.

Error:
svn: Cannot negotiate authentication mechanism

I figured it had something to do with the server doing the checkout since I was able to svn checkout from another Linux server already. I wanted to make sure that the traffic was encrypted so the configuration was as follows.

SVN Server: svnserver.conf

[general]#anon-access = readauth-access = writerealm = testrealm[sasl]use-sasl = truemin-encryption = 128max-encryption = 256

As you can see the svnserve.conf is very basic. It only allows authorized access and the authentication is done via SASL with a minimum of 128-Bit encryption.

SVN Server: SASL svn.conf

pwcheck_method: auxpropauxprop_plugin: sasldbsasldb_path: /etc/sasldb2mech_list: DIGEST-MD5

The above shows that SASL is using MD5 encryption and authenticates against the sasldb2 database located in the /etc directory.

On the Linux client I was attempting to checkout the testrealm repository too I had just installed subversion so I checked to see if any SASL packages had been installed. They had not so I simply installed the cyrus-sasl-md5 package via yum using the below syntax.

Linux Client: Install cyrus-sasl-md5

yum install cyrus-sasl-md5

This resolved the issue and I was now able to checkout the repository as a foundation for the development storm that was about to begin. So if you get an authentication error make sure that you have verified all of the necessary packages have been installed via yum.

Winodws Client: 修改註冊表