Daniel Shahaf wrote:
> >
> > I have the following line in /usr/local/lib/sasl2/svn.conf:
> > mech_list: gssapi digest-md5 anonymous
> >
> > How can I guarantee that the subversion client/server will always use
> > GSSAPI before DIGEST-MD5? Or a more generic question, how can I change
> > the order of mechanisms if I have to?
> >
>
> Looking at subversion/libsvn_ra_svn/{client.c,cyrus_auth.c}, it seems that the
> following order is used:
>
> * EXTERNAL (i.e., ssh tunnel)
> * ANONYMOUS
> * ${server-reported mechanisms, in the order suggested by the server}
> * CRAM-MD5 (used via internal_auth.c even if SASL doesn't support it)
>
> I don't see a knob that lets you manipulate the order.
Then how can I manipulate "the order suggested by the server"? The
server is svnserve.
>
> > I have experimented with the order of mechanisms in the mech_list
> > definition, but the result is always the same ( ANONYMOUS GSSAPI
> > DIGEST-MD5 ). It's fine so far, but how can I change the order if
> > needed?
> >
>
> Is your problem that GSSAPI is before/after DIGEST-MD5, or that it is
> before/after ANONYMOUS? These are quite different situations...
Right now GSSAPI comes before DIGEST-MD5 and this is fine with me. I
just don't want this order to change suddenly with a new version of
subversion or cyrus-sasl or something, because it will break SSO.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:suda...@sibptus.tomsk.ru
