svn with encrypted passwords using sasl

no time to write a long post. this is one way to get rid of the plaintext passwords, using sasl when running a svn server on ubuntu or pretty much any debian-based distro. this assumes that you have svnserve up and running, also /svn/root means your svn root folder, not necessarily that path. the indented parts are supposed to be entered in files (here i use vim, you can change it to <your-editor-of-choice>).

sudo apt-get install libsasl2-2 libsasl2-modules sasl2-bin
sudo vim /etc/default/saslauthd
        # change the row that says START=no to START=yes

cd /svn/root
sudo svnadmin create newrepo
sudo vim newrepo/conf/svnserve.conf
        # insert the following
        [general]
        anon-access = none
        auth-access = write
        # realmname may not contain special chars (this includes spaces, dashes and pretty much anything except a through z)
        realm = realmname
        [sasl]
        use-sasl = true
        min-encryption = 256
        max-encryption = 256
        # EOF

sudo vim /usr/lib/sasl2/svn.conf
        # this is the basic setup.. alotta settings can be used
        pwcheck_method: auxprop
        auxprop_plugin: sasldb
        # i used /etc/svn_sasldb here
        sasldb_path: /path/db_name
        mech_list: DIGEST-MD5
        # EOF

sudo ln -s /usr/lib/sasl2/svn.conf /usr/lib/sasl2/subversion.conf
# add as many users as you need
sudo saslpasswd2 -f /path/db_name -c -u realmname username
sudo /etc/init.d/svnserve restart

# and ya done!!

 

// sluggo

  1. anonim Says:

    /usr/lib/sasl2/svn.conf
    are you shure ?

    ----------

  2. sluggo Says:

    that’s what i used.. wasn’t sure about the svn.conf-part, hence the symlink.
    Of course this might be /usr/local/lib… depending on what distro you are using.

    ----------

  3. Braun Says:

    How did you get this working? I tried and I ended up with message: svn: Could not obtain the list of SASL mechanisms wen trying to connect server from client. After some research I found this shouldn’t be possible: http://serverfault.com/questions/226586/subversion-1-6-sasl-only-works-with-plaintext-userpassword

    ----------

  4. sluggo Says:

    Well that means it’s working on your server, but your client needs to support sasl aswell.. which doesn’t seem to be too common in pre v1.7 binary packages. The support was introduced in version 1.5 though (https://svn.apache.org/repos/asf/subversion/trunk/notes/sasl.txt), and it’s really easy too build by yourself – no fancy config options are needed. All you have to do is make sure you have libsasl2 installed then download svn source, unpack, ./configure –with-sasl, make sure it finds the sasl lib and then make ; sudo make install.
    Hope it works out for you!

    update: i read the link you supplied more carefully and what is described in the answer there is that svn does not support sending encrypted passwords (as does section 7 “Known Issues” in the document i linked), meaning that the passwords are sent over the network in plain text. This post does not deal with that, but with the storing of plain text passwords. If you want your passwords to be encrypted over the network simply googling “svn ssl” without the quotes will get you a long way!

    // sluggo

    ----------

  5. Braun Says:

    Thank you very much! This is very useful.

    ----------

  6. NewAnonymous Says:

    The passwords won’t be encrypted even if you follow the steps described in this article. They will simply be stored in a “Berkeley DB” format file (/path/db_name)
    The content of this file (and the plain text password) can still be easily viewed locally using the proper DB tools.

    The steps described here will setup svnserve to use SASL based authentication, but the DIGEST-MD5 mechanism will store the passwords locally in plain text.

    More info:

    http://serverfault.com/questions/226586/subversion-1-6-sasl-only-works-with-plaintext-userpassword

    http://en.wikipedia.org/wiki/Digest_access_authentication

    ----------

Comment