subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Prashanth Sundaram <prashanth.sunda...@laurioncap.com>
Subject SVN Authentication SASL GSSAPI on EL6
Date Tue, 07 Aug 2012 17:52:09 GMT
Hello,

I have seen a lot of threads in the archives but none seem to have solved the issues or apply
to my current requirement. I did extensive search before writing here.

We currently use the auth_ldap with apache for authentication and due to security compliance
we have to change the auth for SVN. The requirement is pretty simple:  Users cannot save password
unencrypted locally on clients. Of course, the password can be set to encrypt by individual
users by editing the ''servers'' file but due to size of the firm, we cannot monitor this
and be sure that they are doing it.


The repo must be accessible via HTTPS for different servers and support Windows and Unix clients.
I am hosting repo on a RHEL6.2 host via Apache and use SASL-GSSAPI to authenticate via Kerberos.(Server
2008 R2).
Subversion -version=1.6.11

I have been struggling to get SASL + GSSAPI to work and wanted to get some help with same.


==== /etc/httpd/conf.d/svn..conf =====
LoadModule dav_svn_module     modules/mod_dav_svn.so
LoadModule authz_svn_module   modules/mod_authz_svn.so
LoadModule auth_kerb_module   modules/mod_auth_kerb.so

<VirtualHost 10.10.1.166:80>
    Redirect / https://svn-dr.laurion.corp
</VirtualHost>

<VirtualHost 10.10.1.166:443>
    ServerName svn-dr.domain.corp

    ErrorLog /var/log/httpd/error.log
    LogLevel debug
    CustomLog /var/log/httpd/access.log combined
    ServerSignature On

    SSLEngine on
    SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    CustomLog /var/log/httpd/ssl_request_log \
        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

    <Location />
        DAV svn
        SVNPath /proj/svn/svn.domain.corp
        AuthName "Active Directory Login"
        AuthType Kerberos
        Krb5Keytab /etc/krb5.keytab
        KrbAuthRealm DOMAIN.CORP
        KrbMethodNegotiate On
        KrbMethodK5Passwd On
        KrbSaveCredentials off
        KrbVerifyKDC Off
        Require valid-user
        SSLRequireSSL

        #Kerberos Authentication
        #AuthType Kerberos
        #AuthName "Kerberos v5 Login"
        #Krb5AuthToLocal on
        #Krb5Keytab /etc/krb5.keytab

        # Disallow anonymous access
        require valid-user
     </Location>
</VirtualHost>

===== /etc/sasl2/svn.conf =====
mech_list: gssapi
keytab: /etc/krb5.keytab

==== /etc/krb5.keytab ====
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   3 08/07/12 12:29:07 HTTP/sys-dr1.site.domain.corp@DOMAIN.CORP (des-cbc-crc)
   3 08/07/12 12:29:07 HTTP/sys-dr1.site.domain.corp@DOMAIN.CORP (des-cbc-md5)
   3 08/07/12 12:29:07 HTTP/sys-dr1.site.domain.corp@DOMAIN.CORP (arcfour-hmac)
   3 08/07/12 12:29:07 HTTP/sys-dr1.site.domain.corp@DOMAIN.CORP (aes256-cts-hmac-sha1-96)
   3 08/07/12 12:29:07 HTTP/sys-dr1.site.domain.corp@DOMAIN.CORP (aes128-cts-hmac-sha1-96)
   5 08/07/12 12:29:07 HTTP/svn-dr.laurion.corp@DOMAIN.CORP (des-cbc-crc)
   5 08/07/12 12:29:07 HTTP/svn-dr.laurion.corp@DOMAIN.CORP (des-cbc-md5)
   5 08/07/12 12:29:08 HTTP/svn-dr.laurion.corp@DOMAIN.CORP (arcfour-hmac)
   5 08/07/12 12:29:08 HTTP/svn-dr.laurion.corp@DOMAIN.CORP (aes256-cts-hmac-sha1-96)
   5 08/07/12 12:29:08 HTTP/svn-dr.laurion.corp@DOMAIN.CORP (aes128-cts-hmac-sha1-96)
   7 08/07/12 12:29:08 svn/svn-dr.laurion.corp@DOMAIN.CORP (des-cbc-crc)
   7 08/07/12 12:29:08 svn/svn-dr.laurion.corp@DOMAIN.CORP (des-cbc-md5)
   7 08/07/12 12:29:08 svn/svn-dr.laurion.corp@DOMAIN.CORP (arcfour-hmac)
   7 08/07/12 12:29:08 svn/svn-dr.laurion.corp@DOMAIN.CORP (aes256-cts-hmac-sha1-96)
   7 08/07/12 12:29:08 svn/svn-dr.laurion.corp@DOMAIN.CORP (aes128-cts-hmac-sha1-96)
   8 08/07/12 12:29:08 svn/sys-dr1.site.domain.corp@DOMAIN.CORP (des-cbc-crc)
   8 08/07/12 12:29:08 svn/sys-dr1.site.domain.corp@DOMAIN.CORP (des-cbc-md5)
   8 08/07/12 12:29:09 svn/sys-dr1.site.domain.corp@DOMAIN.CORP (arcfour-hmac)
   8 08/07/12 12:29:09 svn/sys-dr1.site.domain.corp@DOMAIN.CORP (aes256-cts-hmac-sha1-96)
   8 08/07/12 12:29:09 svn/sys-dr1.site.domain.corp@DOMAIN.CORP (aes128-cts-hmac-sha1-96)

===== /proj/svn/svn.domain.corp/conf/svnserv.conf =====
[general]
anon-access = none
auth-access = write
authz-db = authz
realm = LAURION.CORP

[sasl]
use-sasl = true
min-encryption = 0
max-encryption = 56


Thanks,
Prashanth


________________________________
Confidentiality Notice from Laurion Capital Management LP:

The information in this message, including any attachment, is confidential and intended for
use only by the designated recipient(s) named above. It is the property of Laurion Capital
Management LP or its affiliates. If you are not the intended recipient, please return the
message to the sender and delete all copies of it, including attachments, from your computer.
Unauthorized use, disclosure, dissemination or copying of this message or any part hereof
is strictly prohibited. This message is for information purposes only. The information expressed
herein may be changed at any time without notice or obligation to update.

No warranty is made as to the completeness or accuracy of the information contained in this
communication. Any views or opinions presented are those of only the author and do not necessarily
represent those of Laurion Capital Management LP or its related entities. This communication
is for information purposes only and should not be regarded as an offer, solicitation or recommendation
to sell or purchase any security or other financial product.

Email transmission cannot be guaranteed to be secure, virus-free or error-free. Therefore,
we do not represent that this message is virus-free, complete or accurate and it should not
be relied upon as such. Laurion Capital Management LP and its affiliates accept no liability
for any damage sustained in connection with the content or transmission of this message.

Laurion Capital Management LP and its related entities reserve the right to monitor all e-mail
communications through their networks.

Mime
View raw message