You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by David Everly <de...@gmail.com> on 2006/08/14 19:23:45 UTC
password collection issues
Hello,
I've compiled subversion 1.3.2 with openldap 2.3.24 and apache httpd 2.2.3
on HP-UX B.11.23 ia64 with the HP compilers (32 bit compiles-- 64 bit
seems to crash during ldap authentication).
I have ldap authentication setup, and somewhat working, but here is
where it becomes curious.
If I run 'svn commit -m "some message" --username deverly', a prompt
appears where I can enter my password. At this stage, authentication
fails.
However, if I add --password to the above (specifying my password),
authentication works! My password begins and ends with a letter and
contains only letters and numbers while I'm running this test, and
before testing, I have removed my ~/.subversion directory.
Any ideas where I could look for clues to the trouble so I can try to
fix the issue?
Thanks,
Dave.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: password collection issues
Posted by Nico Kadel-Garcia <nk...@comcast.net>.
----- Original Message -----
From: "David Everly" <de...@gmail.com>
To: <kf...@google.com>; <us...@subversion.tigris.org>
Sent: Monday, August 14, 2006 6:41 PM
Subject: Re: password collection issues
> Hi Karl, thanks for responding.
>
> It is looking to us like the issue is in HP-UX getpass(), whose man
> page indicates that it truncates what is entered to the first 8
> characters. This is from within apr, whose configure tests could not
> find getpassphrase, but only getpass.
>
> For our purposes, I'm editing the configure script for apr to not
> check for getpass, so that apr is forced to use its internally
> provided mechanism.
Why not use ssh+svnserve? Given that many Subversion clients (not all!)
store your Subversion password, unencrypted, in your local directory when
you do checkouts, any use of a typical LDAP or NIS single-sign-on system
will store your passwords in your local configurations, it's an easy way to
forget about the security risk and have your password stolen.
The burden of using an SSH+SVNserve setup is pretty modest, and in my
opinion more reliable.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: password collection issues
Posted by David Everly <de...@gmail.com>.
On 8/15/06, Garrett Rooney <ro...@electricjellyfish.net> wrote:
> On 8/14/06, David Everly <de...@gmail.com> wrote:
> > Hi Karl, thanks for responding.
> >
> > It is looking to us like the issue is in HP-UX getpass(), whose man
> > page indicates that it truncates what is entered to the first 8
> > characters. This is from within apr, whose configure tests could not
> > find getpassphrase, but only getpass.
> >
> > For our purposes, I'm editing the configure script for apr to not
> > check for getpass, so that apr is forced to use its internally
> > provided mechanism.
> >
> > I'm sure there is a better fix for this that what we did, but I'm not
> > sure exactly what that would be.
>
> Out of curiosity, what version of APR are you using?
httpd-2.2.3 (apr 1.2.7)
> I recall simliar
> problems showing up in the past, and I thought the APR configure
> script had been modified to avoid getpass in that case, but I could be
> wrong. Regardless, the right thing to do is to fix APR to not try and
> use a known-broken getpass implementation.
Makes sense to me.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: password collection issues
Posted by Garrett Rooney <ro...@electricjellyfish.net>.
On 8/14/06, David Everly <de...@gmail.com> wrote:
> Hi Karl, thanks for responding.
>
> It is looking to us like the issue is in HP-UX getpass(), whose man
> page indicates that it truncates what is entered to the first 8
> characters. This is from within apr, whose configure tests could not
> find getpassphrase, but only getpass.
>
> For our purposes, I'm editing the configure script for apr to not
> check for getpass, so that apr is forced to use its internally
> provided mechanism.
>
> I'm sure there is a better fix for this that what we did, but I'm not
> sure exactly what that would be.
Out of curiosity, what version of APR are you using? I recall simliar
problems showing up in the past, and I thought the APR configure
script had been modified to avoid getpass in that case, but I could be
wrong. Regardless, the right thing to do is to fix APR to not try and
use a known-broken getpass implementation.
-garrett
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: password collection issues
Posted by David Everly <de...@gmail.com>.
Hi Karl, thanks for responding.
It is looking to us like the issue is in HP-UX getpass(), whose man
page indicates that it truncates what is entered to the first 8
characters. This is from within apr, whose configure tests could not
find getpassphrase, but only getpass.
For our purposes, I'm editing the configure script for apr to not
check for getpass, so that apr is forced to use its internally
provided mechanism.
I'm sure there is a better fix for this that what we did, but I'm not
sure exactly what that would be.
Thanks,
Dave.
On 8/14/06, Karl Fogel <kf...@google.com> wrote:
> "David Everly" <de...@gmail.com> writes:
> > I've compiled subversion 1.3.2 with openldap 2.3.24 and apache httpd 2.2.3
> > on HP-UX B.11.23 ia64 with the HP compilers (32 bit compiles-- 64 bit
> > seems to crash during ldap authentication).
> >
> > I have ldap authentication setup, and somewhat working, but here is
> > where it becomes curious.
> >
> > If I run 'svn commit -m "some message" --username deverly', a prompt
> > appears where I can enter my password. At this stage, authentication
> > fails.
> >
> > However, if I add --password to the above (specifying my password),
> > authentication works! My password begins and ends with a letter and
> > contains only letters and numbers while I'm running this test, and
> > before testing, I have removed my ~/.subversion directory.
> >
> > Any ideas where I could look for clues to the trouble so I can try to
> > fix the issue?
>
> Can you find the place in the code where Subversion is about to send
> the password over the network and have it print to the terminal there,
> so you can see whether it's got the same data in both cases?
>
> (I don't know where that is off the top of my head, but it probably
> wouldn't be too hard to track down...)
>
--
ASCII ribbon campaign:
() against HTML email
/\ against Microsoft attachments
Information: http://www.expita.com/nomime.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: password collection issues
Posted by Karl Fogel <kf...@google.com>.
"David Everly" <de...@gmail.com> writes:
> I've compiled subversion 1.3.2 with openldap 2.3.24 and apache httpd 2.2.3
> on HP-UX B.11.23 ia64 with the HP compilers (32 bit compiles-- 64 bit
> seems to crash during ldap authentication).
>
> I have ldap authentication setup, and somewhat working, but here is
> where it becomes curious.
>
> If I run 'svn commit -m "some message" --username deverly', a prompt
> appears where I can enter my password. At this stage, authentication
> fails.
>
> However, if I add --password to the above (specifying my password),
> authentication works! My password begins and ends with a letter and
> contains only letters and numbers while I'm running this test, and
> before testing, I have removed my ~/.subversion directory.
>
> Any ideas where I could look for clues to the trouble so I can try to
> fix the issue?
Can you find the place in the code where Subversion is about to send
the password over the network and have it print to the terminal there,
so you can see whether it's got the same data in both cases?
(I don't know where that is off the top of my head, but it probably
wouldn't be too hard to track down...)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org