On Wed, Jan 26, 2011 at 9:26 PM, Stefan Sperling <s...@elego.de> wrote: > On Wed, Jan 26, 2011 at 07:08:55PM -0700, Donner, Sean P wrote: >> > It's because of how CramMD5 works. >> > >> > "The server needs access to the users' plain text passwords." >> > http://en.wikipedia.org/wiki/CRAM-MD5 >> > >> > Stefan >> >> Perhaps I'm wrong, but I was under the impression that the 1.6.x version of >> 'svnserve' natively supports CRAM-MD5; meaning you *don't* need to set >> 'use-sasl = true' to get this functionality. > > That's correct. But you can still configure SASL do to CRAM-MD5. > So there might be a bug in svn. > Maybe it still assumes that plaintext passwords will always be present. > >> So my original question stands as >> to what SASL is buying us when it still requires plain-text passwords to be >> stored on the server? > > Unfortunately the sasl stuff is not being maintained very actively. > The developers who wrote it aren't active anymore. > There are a couple of outstanding issues (some with half-done patches > floating around) that haven't been addressed due to lack of interest > and resources. > > So if you want to help out with investigating this problem more closely > and possibly also help with fixing this the Subversion project would > be grateful.
Or switch to svn+ssh for SSH key based access, which has other advantages.
