使用sasl认证加密密码文件

说明:Linux下使用svnserve的SASL认证能解决这个问题,subversion1.5以上的版本默认装了sasl认证,解决svnserve密码文件passwd是明文的问题,生成一个sasl认证的密码文件sasldb。

步骤:

1、修改Svn库下conf/的svnserve.conf内容

[general]

anon-access = none

auth-access = write

authz-db = authz

realm = svnjiami

[sasl]

use-sasl = true

min-encryption = 128

max-encryption = 256

注释:# password-db = passwd这行保持注释掉的状态,不使用passwd文件。变量 min-encryption 和 max-encryption 控制服务器所需要的加密强度。要完全禁用加密,就将这 2 个变量的值都设为 0。要启用简单的数据校验(例如,为了防止篡改和保证数据的完整,不加密),就将这 2 个值都设为 1。如果你想允许(但不强制)加密,将最小值设为 0,最大值设为任意位数。要强制加密,将这 2 个值设为大于 1 的数字。在前面的例子中,我们要求客户端至少进行 128 位加密,但是不大于 256 位加密。

2、新建一个svn.conf文件,一般放在/usr/Lib/sasl2或者/etc/sasl2,内容如下:

pwcheck_method: auxprop

auxprop_plugin: sasldb

sasldb_path: /home/svn/svnjiami/sasldb

mech_list: DIGEST-MD5

注释:pwcheck_method指明检查的方法,这里是“auxprop ”,这个pwcheck_method还对应了如启动一个代理作为认证服务等方式,而现在的意思就是使用本文件说的方式去检查。然后我们指明auxprop_plugin为sasldb,也就是使用一个文件存放用户名密码,也就是/home/svn/svnjiami/sasldb,其它的认证信息存放plugin还有sql和ldapdb。而mech_list指明了认证信息传递机制。

3、如果 svnserve 已经在运行,你需要重启服务,并确保它读取了更新后的配置参数。

killall svnserve //停止svnserve服务

svnserve –d –r /home/svn //启动svnserve服务


4、现在所有的东西已经设置完成,你要做的事情就是创建用户和密码。你需要 saslpasswd2 程序来做这件事。

saslpasswd2 –c –f /home/svn/jiami/sasldb –u [svnserve.conf里面配置的realm名字] [username] -p <pw //新建用户,可修改用户用户口令,pw是密码文件,里边存储了用户密码

saslpasswd2 -d -f /home/svn/jiami/sasldb -u

 

[svnserve.conf里面配置的realm名字] [username]

//删除用户

sasldblistusers2 –f /home/svn/jiami/sasldb //查询用户


PS:如果访问库的时候出现以下提示 "Could not obtain the list of SASL mechanisms",原因是Linux默认没有安装DIGEST-MD5,此时,可用以下命令安装更新:yum install cyrus-sasl-md5 , cyrus-sasl-md5首页: http://asg.web.cmu.edu/sasl/, 安装包下载地址:ftp://ftp.andrew.cmu.edu/pub/cyrus/

 

-------------------------------------------------------------------------------------------- 

You may receive an error similar to the one below stating that SVN cannot negotiate the authentication mechanism during initial installation of Subversion. I received the below error when I was testing a new SVN repository I had set up on a CentOS Linux server and was attempting to checkout the repo from another CentOS Linux server. Below I describe basic configuration and what was done to move pas this error.

Error:
svn: Cannot negotiate authentication mechanism

I figured it had something to do with the server doing the checkout since I was able to svn checkout from another Linux server already. I wanted to make sure that the traffic was encrypted so the configuration was as follows.

SVN Server: svnserver.conf

[general]
#anon-access = read
auth-access = write
realm = testrealm

[sasl]
use-sasl = true
min-encryption = 128
max-encryption = 256

As you can see the svnserve.conf is very basic. It only allows authorized access and the authentication is done via SASL with a minimum of 128-Bit encryption.

SVN Server: SASL svn.conf

pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /etc/sasldb2
mech_list: DIGEST-MD5

The above shows that SASL is using MD5 encryption and authenticates against the sasldb2 database located in the /etc directory.

On the Linux client I was attempting to checkout the testrealm repository too I had just installed subversion so I checked to see if any SASL packages had been installed. They had not so I simply installed the cyrus-sasl-md5 package via yum using the below syntax.

Linux Client: Install cyrus-sasl-md5

yum install cyrus-sasl-md5

This resolved the issue and I was now able to checkout the repository as a foundation for the development storm that was about to begin. So if you get an authentication error make sure that you have verified all of the necessary packages have been installed via yum.

Winodws Client: 修改注册表

 

 

 

 

posted on 2011-08-04 10:34  凌度  阅读(11617)  评论(2编辑  收藏  举报