Hello,
I have seen a lot of threads in the archives but none seem to have solved the issues or apply
to my current requirement. I did extensive search before writing here.
We currently use the auth_ldap with apache for authentication and due to security compliance
we have to change the auth for SVN. The requirement is pretty simple: Users cannot save password
unencrypted locally on clients. Of course, the password can be set to encrypt by individual
users by editing the ''servers'' file but due to size of the firm, we cannot monitor this
and be sure that they are doing it.
The repo must be accessible via HTTPS for different servers and support Windows and Unix clients.
I am hosting repo on a RHEL6.2 host via Apache and use SASL-GSSAPI to authenticate via Kerberos.(Server
2008 R2).
Subversion -version=1.6.11
I have been struggling to get SASL + GSSAPI to work and wanted to get some help with same.
==== /etc/httpd/conf.d/svn..conf =====
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
LoadModule auth_kerb_module modules/mod_auth_kerb.so
<VirtualHost 10.10.1.166:80>
Redirect / https://svn-dr.laurion.corp
</VirtualHost>
<VirtualHost 10.10.1.166:443>
ServerName svn-dr.domain.corp
ErrorLog /var/log/httpd/error.log
LogLevel debug
CustomLog /var/log/httpd/access.log combined
ServerSignature On
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<Location />
DAV svn
SVNPath /proj/svn/svn.domain.corp
AuthName "Active Directory Login"
AuthType Kerberos
Krb5Keytab /etc/krb5.keytab
KrbAuthRealm DOMAIN.CORP
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbSaveCredentials off
KrbVerifyKDC Off
Require valid-user
SSLRequireSSL
#Kerberos Authentication
#AuthType Kerberos
#AuthName "Kerberos v5 Login"
#Krb5AuthToLocal on
#Krb5Keytab /etc/krb5.keytab
# Disallow anonymous access
require valid-user
</Location>
</VirtualHost>
===== /etc/sasl2/svn.conf =====
mech_list: gssapi
keytab: /etc/krb5.keytab
==== /etc/krb5.keytab ====
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 08/07/12 12:29:07 HTTP/sys-dr1.site.domain.corp@DOMAIN.CORP (des-cbc-crc)
3 08/07/12 12:29:07 HTTP/sys-dr1.site.domain.corp@DOMAIN.CORP (des-cbc-md5)
3 08/07/12 12:29:07 HTTP/sys-dr1.site.domain.corp@DOMAIN.CORP (arcfour-hmac)
3 08/07/12 12:29:07 HTTP/sys-dr1.site.domain.corp@DOMAIN.CORP (aes256-cts-hmac-sha1-96)
3 08/07/12 12:29:07 HTTP/sys-dr1.site.domain.corp@DOMAIN.CORP (aes128-cts-hmac-sha1-96)
5 08/07/12 12:29:07 HTTP/svn-dr.laurion.corp@DOMAIN.CORP (des-cbc-crc)
5 08/07/12 12:29:07 HTTP/svn-dr.laurion.corp@DOMAIN.CORP (des-cbc-md5)
5 08/07/12 12:29:08 HTTP/svn-dr.laurion.corp@DOMAIN.CORP (arcfour-hmac)
5 08/07/12 12:29:08 HTTP/svn-dr.laurion.corp@DOMAIN.CORP (aes256-cts-hmac-sha1-96)
5 08/07/12 12:29:08 HTTP/svn-dr.laurion.corp@DOMAIN.CORP (aes128-cts-hmac-sha1-96)
7 08/07/12 12:29:08 svn/svn-dr.laurion.corp@DOMAIN.CORP (des-cbc-crc)
7 08/07/12 12:29:08 svn/svn-dr.laurion.corp@DOMAIN.CORP (des-cbc-md5)
7 08/07/12 12:29:08 svn/svn-dr.laurion.corp@DOMAIN.CORP (arcfour-hmac)
7 08/07/12 12:29:08 svn/svn-dr.laurion.corp@DOMAIN.CORP (aes256-cts-hmac-sha1-96)
7 08/07/12 12:29:08 svn/svn-dr.laurion.corp@DOMAIN.CORP (aes128-cts-hmac-sha1-96)
8 08/07/12 12:29:08 svn/sys-dr1.site.domain.corp@DOMAIN.CORP (des-cbc-crc)
8 08/07/12 12:29:08 svn/sys-dr1.site.domain.corp@DOMAIN.CORP (des-cbc-md5)
8 08/07/12 12:29:09 svn/sys-dr1.site.domain.corp@DOMAIN.CORP (arcfour-hmac)
8 08/07/12 12:29:09 svn/sys-dr1.site.domain.corp@DOMAIN.CORP (aes256-cts-hmac-sha1-96)
8 08/07/12 12:29:09 svn/sys-dr1.site.domain.corp@DOMAIN.CORP (aes128-cts-hmac-sha1-96)
===== /proj/svn/svn.domain.corp/conf/svnserv.conf =====
[general]
anon-access = none
auth-access = write
authz-db = authz
realm = LAURION.CORP
[sasl]
use-sasl = true
min-encryption = 0
max-encryption = 56
Thanks,
Prashanth
________________________________
Confidentiality Notice from Laurion Capital Management LP:
The information in this message, including any attachment, is confidential and intended for
use only by the designated recipient(s) named above. It is the property of Laurion Capital
Management LP or its affiliates. If you are not the intended recipient, please return the
message to the sender and delete all copies of it, including attachments, from your computer.
Unauthorized use, disclosure, dissemination or copying of this message or any part hereof
is strictly prohibited. This message is for information purposes only. The information expressed
herein may be changed at any time without notice or obligation to update.
No warranty is made as to the completeness or accuracy of the information contained in this
communication. Any views or opinions presented are those of only the author and do not necessarily
represent those of Laurion Capital Management LP or its related entities. This communication
is for information purposes only and should not be regarded as an offer, solicitation or recommendation
to sell or purchase any security or other financial product.
Email transmission cannot be guaranteed to be secure, virus-free or error-free. Therefore,
we do not represent that this message is virus-free, complete or accurate and it should not
be relied upon as such. Laurion Capital Management LP and its affiliates accept no liability
for any damage sustained in connection with the content or transmission of this message.
Laurion Capital Management LP and its related entities reserve the right to monitor all e-mail
communications through their networks.
|