Daniel Shahaf wrote: > > > > I have the following line in /usr/local/lib/sasl2/svn.conf: > > mech_list: gssapi digest-md5 anonymous > > > > How can I guarantee that the subversion client/server will always use > > GSSAPI before DIGEST-MD5? Or a more generic question, how can I change > > the order of mechanisms if I have to? > > > > Looking at subversion/libsvn_ra_svn/{client.c,cyrus_auth.c}, it seems that the > following order is used: > > * EXTERNAL (i.e., ssh tunnel) > * ANONYMOUS > * ${server-reported mechanisms, in the order suggested by the server} > * CRAM-MD5 (used via internal_auth.c even if SASL doesn't support it) > > I don't see a knob that lets you manipulate the order.
Then how can I manipulate "the order suggested by the server"? The server is svnserve. > > > I have experimented with the order of mechanisms in the mech_list > > definition, but the result is always the same ( ANONYMOUS GSSAPI > > DIGEST-MD5 ). It's fine so far, but how can I change the order if > > needed? > > > > Is your problem that GSSAPI is before/after DIGEST-MD5, or that it is > before/after ANONYMOUS? These are quite different situations... Right now GSSAPI comes before DIGEST-MD5 and this is fine with me. I just don't want this order to change suddenly with a new version of subversion or cyrus-sasl or something, because it will break SSO. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru