Please excuse me

if I'm wrong here with this possibly stupid end-user question … but I
am trying to keep a setup with svnserve+sasl going, for
low-infrastructure encrypted communication, where the  world decided
that DIGEST-MD5 is no good. I tried to enable SCRAM-* mechanisms in my
sasl config for svn, but clients get an empty list of supported
mechanisms unless I include DIGEST-MD5.

Tracing the communication with socat, I get either this:

< 2026/07/07 21:59:19.000146895  length=42 from=207 to=248 
( success ( ( DIGEST-MD5 ) 8:myrealm ) )

or, with a crazy setting of

mech_list: SCRAM-SHA-512-PLUS SCRAM-SHA-256-PLUS SCRAM-SHA-512 SCRAM-SHA-256 
SCRAM-SHA-1-PLUS SCRAM-SHA-1

< 2026/07/07 22:01:06.000763594  length=80 from=207 to=286
( failure ( ( 170001 44:Could not obtain the list of SASL mechanisms 0: 0 ) ) )

I do have libscram and see that svnserve loads it via strace:

# grep libscram svn.log 
open("/usr/lib/sasl2/libscram.la", O_RDONLY) = 4
open("/usr/lib/sasl2/libscram.la", O_RDONLY) = 4
read(4, "# libscram.la - a libtool librar"..., 4096) = 971
open("/usr/lib/sasl2/libscram.so.3", O_RDONLY|O_CLOEXEC) = 4

But I have so grasp on actually making use of it. All documentation I
find on svn+sasl mentions countless auth mechanisms, but only really
covers the one and only example DIGEST-MD5.

I am hitting a wall trying to debug this. There is a setting log_level
in the sasl.conf for svn, but I do not see any messages triggered by
that. Seems like svnserve would need to enable logging for sasl itself
and misses a functionality for this? Generally, I miss any verbosity of
svnserve regarding client connections. Grabbing the network traffic via
socat is the resort to see a bit of what is going on. Isn't there some
option for verbosity for svnserve and svn client that would give more
information than

E170001: Could not obtain the list of SASL mechanisms

(arguably, only the server side could tell more here) or

E210007: Cannot negotiate authentication mechanism

(where the list of offered mechanisms vs. the list of supported
mechanisms would be _very_ interesting to a user)? So far it _seems_
the server doesn't know that it can do SCRAM. I find the documentation
of cyrus-sasl very lacking here. How is one supposed to debug this?
Should I bug that project instead? I am confused by the behaviour of
saslpasswd2 + sasldblistusers2, which only ever show userPassword
entries or nothing (when trying _not_ to store plaintext passwords),
FWIW.

I'm posting this here — as it seems rather obscure to want to do more
than DIGEST-MD5, or svnserve at all, nowadays — in the hope that the
subversion developers at least have had one test setup where this
actually worked. Has the svnserve sasl code been tested with non-MD5
mechanisms?

If this works smoothly for anyone and only my setup and skills are
broken, that's fine. I can learn. But right now it looks darn
impossible to me. Please prove me wrong;-)


Alrighty then,

Thomas

-- 
Dr. Thomas Orgis
HPC @ Universität Hamburg

Reply via email to