On 2026/07/07 20:16:00 "Dr. Thomas Orgis via dev" wrote:
> Please excuse me
> 
> if I'm wrong here with this possibly stupid end-user question … but I
> am trying to keep a setup with svnserve+sasl going, for
> low-infrastructure encrypted communication, where the  world decided
> that DIGEST-MD5 is no good. I tried to enable SCRAM-* mechanisms in my
> sasl config for svn, but clients get an empty list of supported
> mechanisms unless I include DIGEST-MD5.
> 
> Tracing the communication with socat, I get either this:
> 
> < 2026/07/07 21:59:19.000146895  length=42 from=207 to=248 
> ( success ( ( DIGEST-MD5 ) 8:myrealm ) )
> 
> or, with a crazy setting of
> 
> mech_list: SCRAM-SHA-512-PLUS SCRAM-SHA-256-PLUS SCRAM-SHA-512 SCRAM-SHA-256 
> SCRAM-SHA-1-PLUS SCRAM-SHA-1
> 
> < 2026/07/07 22:01:06.000763594  length=80 from=207 to=286
> ( failure ( ( 170001 44:Could not obtain the list of SASL mechanisms 0: 0 ) ) 
> )
> 
> I do have libscram and see that svnserve loads it via strace:
> 
> # grep libscram svn.log 
> open("/usr/lib/sasl2/libscram.la", O_RDONLY) = 4
> open("/usr/lib/sasl2/libscram.la", O_RDONLY) = 4
> read(4, "# libscram.la - a libtool librar"..., 4096) = 971
> open("/usr/lib/sasl2/libscram.so.3", O_RDONLY|O_CLOEXEC) = 4
> 
> But I have so grasp on actually making use of it. All documentation I
> find on svn+sasl mentions countless auth mechanisms, but only really
> covers the one and only example DIGEST-MD5.
> 
> I am hitting a wall trying to debug this. There is a setting log_level
> in the sasl.conf for svn, but I do not see any messages triggered by
> that. Seems like svnserve would need to enable logging for sasl itself
> and misses a functionality for this? Generally, I miss any verbosity of
> svnserve regarding client connections. Grabbing the network traffic via
> socat is the resort to see a bit of what is going on. Isn't there some
> option for verbosity for svnserve and svn client that would give more
> information than
> 
> E170001: Could not obtain the list of SASL mechanisms
> 
> (arguably, only the server side could tell more here) or
> 
> E210007: Cannot negotiate authentication mechanism
> 
> (where the list of offered mechanisms vs. the list of supported
> mechanisms would be _very_ interesting to a user)? So far it _seems_
> the server doesn't know that it can do SCRAM. I find the documentation
> of cyrus-sasl very lacking here. How is one supposed to debug this?
> Should I bug that project instead? I am confused by the behaviour of
> saslpasswd2 + sasldblistusers2, which only ever show userPassword
> entries or nothing (when trying _not_ to store plaintext passwords),
> FWIW.
> 
> I'm posting this here — as it seems rather obscure to want to do more
> than DIGEST-MD5, or svnserve at all, nowadays — in the hope that the
> subversion developers at least have had one test setup where this
> actually worked. Has the svnserve sasl code been tested with non-MD5
> mechanisms?
> 
> If this works smoothly for anyone and only my setup and skills are
> broken, that's fine. I can learn. But right now it looks darn
> impossible to me. Please prove me wrong;-)

Thomas,

I bet your university operates a KDC, if so you can simply use Kerberos via 
SASL or via Apache with mod_auth_gssapi. The latter works perfectly, the former 
should work, but I have abandoned svnserve long time ago.

Michael

Reply via email to