On Tue, Jan 25, 2011 at 12:51:12PM -0700, Donner, Sean P wrote: > I'm attempting to setup svnserve with SASL support on my Slackware 13.1 > server and after > some trial and error I'm able to get it to work with the configuration listed > at the end of this > post. > > You'll notice that the output of sasldblistusers2 shows my test user as > having both an > encrypted cmusaslsecretOTP password as well as a plain text userPassword. > i.e., if I were to > run the command ‘strings /etc/sasl2/my_sasldb’ I would see the test users' > password in > plaintext. These two password entries were created with the following > subversion-book > recommended command: > > saslpasswd2 -c -f /etc/sasl2/my_sasldb -u myrepo test > > After reading man saslpasswd2 I see the following option: > > "-n Don't set the plaintext userPassword property for the user. Only > mechanism-specific > secrets will be set (e.g. OTP, SRP)" > > This is exactly what I want to do, suppress the plain text password and only > use the > mechanism-specific secret (OTP in my case). So I clear out > /etc/sasl2/my_sasldb and rerun > saslpasswd2 as: > > saslpasswd2 -n -c -f /etc/sasl2/my_sasldb -u myrepo test > > I then follow it up with a sasldblistusers2 and I see: > > $ sasldblistusers2 -f /etc/sasl2/my_sasldb > test@myrepo: cmusaslsecretOTP > > Perfect! Now I have only encrypted passwords in my sasldb.... only neither > the Linux svn > client nor the Windows TortoiseSVN client can connect to my repo anymore. > They both > present me with an endless loop of user/pass challenge. As soon as I rerun > saslpasswd2 > without the '-n' flag, everything works again. > > So, what’s the point of svnserve supporting SASL if my sasldb must store its > passwords in > plaintext to work?
It's because of how CramMD5 works. "The server needs access to the users' plain text passwords." http://en.wikipedia.org/wiki/CRAM-MD5 Stefan
