From users-return-27045-archive-asf-public=cust-asf.ponee.io@subversion.apache.org Fri Apr 13 19:55:37 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 0C2CA180627 for ; Fri, 13 Apr 2018 19:55:35 +0200 (CEST) Received: (qmail 21555 invoked by uid 500); 13 Apr 2018 17:55:34 -0000 Mailing-List: contact users-help@subversion.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@subversion.apache.org Received: (qmail 21538 invoked by uid 99); 13 Apr 2018 17:55:34 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 Apr 2018 17:55:34 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id AA9E3C00A6 for ; Fri, 13 Apr 2018 17:55:33 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.549 X-Spam-Level: * X-Spam-Status: No, score=1.549 tagged_above=-999 required=6.31 tests=[HTML_MESSAGE=2, KAM_LOTSOFHASH=0.25, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id 3C0mJB152nag for ; Fri, 13 Apr 2018 17:55:30 +0000 (UTC) Received: from mx0a-00191d01.pphosted.com (mx0b-00191d01.pphosted.com [67.231.157.136]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id D9D0D5F254 for ; Fri, 13 Apr 2018 17:55:29 +0000 (UTC) Received: from pps.filterd (m0049463.ppops.net [127.0.0.1]) by m0049463.ppops.net-00191d01. (8.16.0.21/8.16.0.21) with SMTP id w3DHjUrh038707 for ; Fri, 13 Apr 2018 13:55:22 -0400 Received: from alpi155.enaf.aldc.att.com (sbcsmtp7.sbc.com [144.160.229.24]) by m0049463.ppops.net-00191d01. with ESMTP id 2hayuta1kk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 13 Apr 2018 13:55:22 -0400 Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id w3DHtLps007634 for ; Fri, 13 Apr 2018 13:55:22 -0400 Received: from zlp27129.vci.att.com (zlp27129.vci.att.com [135.66.87.42]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id w3DHtHZ5007530 for ; Fri, 13 Apr 2018 13:55:18 -0400 Received: from zlp27129.vci.att.com (zlp27129.vci.att.com [127.0.0.1]) by zlp27129.vci.att.com (Service) with ESMTP id E28254000413 for ; Fri, 13 Apr 2018 17:55:17 +0000 (GMT) Received: from MISOUT7MSGHUBAB.ITServices.sbc.com (unknown [130.9.129.146]) by zlp27129.vci.att.com (Service) with ESMTPS id C4F4F4000412 for ; Fri, 13 Apr 2018 17:55:17 +0000 (GMT) Received: from MISOUT7MSGUSRCC.ITServices.sbc.com ([169.254.3.216]) by MISOUT7MSGHUBAB.ITServices.sbc.com ([130.9.129.146]) with mapi id 14.03.0361.001; Fri, 13 Apr 2018 13:55:17 -0400 From: "NOCERA, ANDY" To: "users@subversion.apache.org" Subject: SVN E170001: Authentication error with specific user/realm/pw combinations while many other work! Thread-Topic: SVN E170001: Authentication error with specific user/realm/pw combinations while many other work! Thread-Index: AdPTT6U+CsZbIzIhRUmjJYZfEn56IQ== Date: Fri, 13 Apr 2018 17:55:16 +0000 Message-ID: <99BCC400E8B6334C91FACA6B284C927D41C66B14@MISOUT7MSGUSRCC.ITServices.sbc.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [135.16.251.243] Content-Type: multipart/alternative; boundary="_000_99BCC400E8B6334C91FACA6B284C927D41C66B14MISOUT7MSGUSRCC_" MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-04-13_09:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1804130163 --_000_99BCC400E8B6334C91FACA6B284C927D41C66B14MISOUT7MSGUSRCC_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Summary: SVN E170001: Authentication error with specific user/realm/pw comb= inations while many other work! Observations/Workarounds While there is a work around, by simply changing the password, we have an u= nusual reoccurring issue with some user/realm/password combinations. It's = a problem setting the same password to many repos. The issue shows up under both CRAM-MD5 and DIGEST-MD5, but not for the same= user/realm/password. From and SVN perspective: How do I get svn/svnserve to log the hashed response so I can compare it ou= tside of SASL and MYSQL. I suspect our method to generate the hashed CRAM-MD5 and DIGEST-MD5 that we= store in mysql has a bug, what is a good place to locate source for this p= rogram. Use Case is a simple svn task: $svn list svn://SVN.HOST.DOMAIN:12000 Server Config svnserver configured via sasl mechanism CRAM-MD5 and/or Dige= st-MD5 - Hashed passwd stored in mysqlDB separate realm for each repo Assumptions: Since it works most of the time, configurations are correct. Issue: Some password combinations return svn: E170001: Authentication error= from server: SASL(-13): authentication failure: incorrect digest response User/process quick check: when we suspect an issue we compare the generate= d hash with DB stored hash to rule out, process, user and DB issue. gen_hash - user realm passwd using sasl_passwd binary query_hash - query user realm from MYSQL DB inspect HEX gen_hash ~ HEX query_hash if hash matches, we expect $svn list user passwd svn://SVN.HOST.DOMAIN:1200= 0 to be successful. Summary Sample tests updating mysqlDB and running svn list using a differen= t password Works- Capmpwds2018 Works- apmpwds2018 Fails- capmpwds2018 Works- cApmpwds2018 Test SCRIPT ksh ./add_user.sh:prod m80154 Capmpwds2018 capmbat2 update The DB agrees with user/pw/realm DB cmusaslsecretCRAM-MD5 6FE5A5552D= 2F13F7BDBF6FB2AE9B1A125313C2BA79479D153877B95CFA9DFC29 Commandline CRAM USER:HEX/UN 6FE5A5552D2F1= 3F7BDBF6FB2AE9B1A125313C2BA79479D153877B95CFA9DFC29 Success m80154 - /opt/app/scm/svn/binaries/sv= n_1.9.7/bin/svn --no-auth-cache --username m80154 --password Capmpwds2018 l= ist svn://SVN.HOST.DOMAIN:12000 $ksh ./add_user.sh:prod m80154 apmpwds2018 capmbat2 update The DB agrees with user/pw/realm DB cmusaslsecretCRAM-MD5 6A2912411C= 7616DECF97A2B7582ADEF4855C3B4E4373046832D242AEC4AC08E2 Commandline CRAM USER:HEX/UN 6A2912411C761= 6DECF97A2B7582ADEF4855C3B4E4373046832D242AEC4AC08E2 Success m80154 - /opt/app/scm/svn/binaries/svn_1.9.7/bin/svn= --no-auth-cache --username m80154 --password apmpwds2018 list svn://SVN.HO= ST.DOMAIN:12000 ksh ./add_user.sh:prod m80154 capmpwds2018 capmbat2 update The DB agrees with user/pw/realm DB cmusaslsecretCRAM-MD5 59B803D644= BC84CF91230A8FFEA371A3421AE83003009232483A3FEF5B90BE6A Commandline CRAM USER:HEX/UN 59B803D644BC8= 4CF91230A8FFEA371A3421AE83003009232483A3FEF5B90BE6A Failed m80154 /opt/app/scm/svn/binaries/svn_1.9.7/bin/svn --= no-auth-cache --username m80154 --password capmpwds2018 list svn://SVN.HOST= .DOMAIN:12000 svn: E170013: Unable to connect to a reposito= ry at URL 'svn://SVN.HOST.DOMAIN:12000' svn: E170001: Authentication error from serve= r: SASL(-13): authentication failure: incorrect digest response $ksh ./add_user.sh:prod m80154 cApmpwds2018 capmbat2 update The DB agrees with user/pw/realm DB cmusaslsecretCRAM-MD5 9328603F62A27B23C3= A01149D8CA97BB5885F9163C9498918FDD2223439EED26 Commandline CRAM USER:HEX/UN 9328603F62A27B23C3A01149D8CA= 97BB5885F9163C9498918FDD2223439EED26 Success m80154 - /opt/app/scm/svn/binaries/svn_1.9.7/bin/svn --no-auth-cach= e --username m80154 --password cApmpwds2018 list svn://SVN.HOST.DOMAIN:1200= 0 - --_000_99BCC400E8B6334C91FACA6B284C927D41C66B14MISOUT7MSGUSRCC_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Summary: SVN E170001: Authentication error with s= pecific user/realm/pw combinations while many other work!

 

 

Observations/Workarounds

 

While there is a work = around, by simply changing the password, we have an unusual reoccurring iss= ue with some user/realm/password combinations.  It’s a problem

setting the same passw= ord to many repos.

 

The issue shows up und= er both CRAM-MD5 and DIGEST-MD5, but not for the same user/realm/password.&= nbsp;

 

 

From and SVN perspective:

How do I get svn/svnse= rve to log the hashed response so I can compare it outside of SASL and MYSQ= L.  

I suspect our method t= o generate the hashed CRAM-MD5 and DIGEST-MD5 that we store in mysql has a = bug, what is a good place to locate source for this program.

 

 

Use Case is a simple svn task:  $svn list sv= n://SVN.HOST.DOMAIN:12000

 

Server Config

        &= nbsp;      svnserver configured via sasl mechanism= CRAM-MD5 and/or Digest-MD5 –

        &= nbsp;      Hashed passwd stored in mysqlDB

        &= nbsp;      separate realm for each repo=

 

Assumptions:

        &= nbsp;      Since it works most of the time, config= urations are correct.

 

Issue: Some password combinations return svn: E17= 0001: Authentication error from server: SASL(-13): authentication failure: = incorrect digest response

 

User/process quick check:  when we suspect a= n issue we compare the generated hash with DB stored hash to rule out, proc= ess, user and DB issue.

 

        &= nbsp;      gen_hash - user realm passwd using sasl= _passwd binary

        &= nbsp;      query_hash - query user realm from MYSQ= L DB

 

        &= nbsp;      inspect HEX gen_hash ~ HEX query_hash <= o:p>

 

if hash matches, we expect $svn list user passwd = svn://SVN.HOST.DOMAIN:12000 to be successful. 

 

 

Summary Sample tests updating mysqlDB and running= svn list using a different password

        &= nbsp;           &nbs= p;         Works- Capmpwds2018=

        &= nbsp;           &nbs= p;         Works- apmpwds2018<= /o:p>

        &= nbsp;           &nbs= p;         Fails- capmpwds2018=

        &= nbsp;           &nbs= p;         Works- cApmpwds2018=

 

 

Test SCRIPT

ksh  ./add_user.sh:prod m80154 Capmpwds2018 = capmbat2 update

 

        &= nbsp;      The DB agrees with user/pw/realm

        &= nbsp;           &nbs= p;         DB cmusaslsecretCRAM-MD5=            6FE5A5552D2F13= F7BDBF6FB2AE9B1A125313C2BA79479D153877B95CFA9DFC29

        &= nbsp;           &nbs= p;         Commandline CRAM USER:HE= X/UN    6FE5A5552D2F13F7BDBF6FB2AE9B1A125313C2BA79479D153877= B95CFA9DFC29

 

        &= nbsp;           &nbs= p;         Success m80154 - /opt/ap= p/scm/svn/binaries/svn_1.9.7/bin/svn --no-auth-cache --username m80154 --pa= ssword Capmpwds2018 list svn://SVN.HOST.DOMAIN:12000

 

$ksh  ./add_user.sh:prod m80154 apmpwds2018 = capmbat2 update

        &= nbsp;      The DB agrees with user/pw/realm

        &= nbsp;           &nbs= p;         DB cmusaslsecretCRAM-MD5=            6A2912411C7616= DECF97A2B7582ADEF4855C3B4E4373046832D242AEC4AC08E2

        &= nbsp;           &nbs= p;         Commandline CRAM USER:HE= X/UN    6A2912411C7616DECF97A2B7582ADEF4855C3B4E4373046832D2= 42AEC4AC08E2

 

        &= nbsp;      Success m80154 - /opt/app/scm/svn/binar= ies/svn_1.9.7/bin/svn --no-auth-cache --username m80154 --password apmpwds2= 018 list svn://SVN.HOST.DOMAIN:12000

 

 

ksh  ./add_user.sh:prod m80154 capmpwds2018 = capmbat2 update

 

        &= nbsp;      The DB agrees with user/pw/realm

        &= nbsp;           &nbs= p;         DB cmusaslsecretCRAM-MD5=            59B803D644BC84= CF91230A8FFEA371A3421AE83003009232483A3FEF5B90BE6A

        &= nbsp;           &nbs= p;         Commandline CRAM USER:HE= X/UN    59B803D644BC84CF91230A8FFEA371A3421AE83003009232483A= 3FEF5B90BE6A

 

        &= nbsp;      Failed m80154 /opt/app/scm/svn/binaries= /svn_1.9.7/bin/svn --no-auth-cache --username m80154 --password capmpwds201= 8 list svn://SVN.HOST.DOMAIN:12000

        &= nbsp;           &nbs= p;         svn: E170013: Unable to = connect to a repository at URL 'svn://SVN.HOST.DOMAIN:12000'

        &= nbsp;           &nbs= p;         svn: E170001: Authentica= tion error from server: SASL(-13): authentication failure: incorrect digest= response

 

$ksh  ./add_user.sh:prod m80154 cApmpwds2018= capmbat2 update

 

The DB agrees with user/pw/realm

        &= nbsp;      DB cmusaslsecretCRAM-MD5   &n= bsp;            = ;  9328603F62A27B23C3A01149D8CA97BB5885F9163C9498918FDD2223439EED26

        &= nbsp;      Commandline CRAM USER:HEX/UN  = ;  9328603F62A27B23C3A01149D8CA97BB5885F9163C9498918FDD2223439EED26

 

Success m80154 - /opt/app/scm/svn/binaries/svn_1.= 9.7/bin/svn --no-auth-cache --username m80154 --password cApmpwds2018 list = svn://SVN.HOST.DOMAIN:12000

 

 

-

 

 

--_000_99BCC400E8B6334C91FACA6B284C927D41C66B14MISOUT7MSGUSRCC_--