You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by "NOCERA, ANDY" <an...@att.com> on 2018/04/13 17:55:16 UTC
SVN E170001: Authentication error with specific user/realm/pw
combinations while many other work!
Summary: SVN E170001: Authentication error with specific user/realm/pw combinations while many other work!
Observations/Workarounds
While there is a work around, by simply changing the password, we have an unusual reoccurring issue with some user/realm/password combinations. It's a problem
setting the same password to many repos.
The issue shows up under both CRAM-MD5 and DIGEST-MD5, but not for the same user/realm/password.
From and SVN perspective:
How do I get svn/svnserve to log the hashed response so I can compare it outside of SASL and MYSQL.
I suspect our method to generate the hashed CRAM-MD5 and DIGEST-MD5 that we store in mysql has a bug, what is a good place to locate source for this program.
Use Case is a simple svn task: $svn list svn://SVN.HOST.DOMAIN:12000
Server Config
svnserver configured via sasl mechanism CRAM-MD5 and/or Digest-MD5 -
Hashed passwd stored in mysqlDB
separate realm for each repo
Assumptions:
Since it works most of the time, configurations are correct.
Issue: Some password combinations return svn: E170001: Authentication error from server: SASL(-13): authentication failure: incorrect digest response
User/process quick check: when we suspect an issue we compare the generated hash with DB stored hash to rule out, process, user and DB issue.
gen_hash - user realm passwd using sasl_passwd binary
query_hash - query user realm from MYSQL DB
inspect HEX gen_hash ~ HEX query_hash
if hash matches, we expect $svn list user passwd svn://SVN.HOST.DOMAIN:12000 to be successful.
Summary Sample tests updating mysqlDB and running svn list using a different password
Works- Capmpwds2018
Works- apmpwds2018
Fails- capmpwds2018
Works- cApmpwds2018
Test SCRIPT
ksh ./add_user.sh:prod m80154 Capmpwds2018 capmbat2 update
The DB agrees with user/pw/realm
DB cmusaslsecretCRAM-MD5 6FE5A5552D2F13F7BDBF6FB2AE9B1A125313C2BA79479D153877B95CFA9DFC29
Commandline CRAM USER:HEX/UN 6FE5A5552D2F13F7BDBF6FB2AE9B1A125313C2BA79479D153877B95CFA9DFC29
Success m80154 - /opt/app/scm/svn/binaries/svn_1.9.7/bin/svn --no-auth-cache --username m80154 --password Capmpwds2018 list svn://SVN.HOST.DOMAIN:12000
$ksh ./add_user.sh:prod m80154 apmpwds2018 capmbat2 update
The DB agrees with user/pw/realm
DB cmusaslsecretCRAM-MD5 6A2912411C7616DECF97A2B7582ADEF4855C3B4E4373046832D242AEC4AC08E2
Commandline CRAM USER:HEX/UN 6A2912411C7616DECF97A2B7582ADEF4855C3B4E4373046832D242AEC4AC08E2
Success m80154 - /opt/app/scm/svn/binaries/svn_1.9.7/bin/svn --no-auth-cache --username m80154 --password apmpwds2018 list svn://SVN.HOST.DOMAIN:12000
ksh ./add_user.sh:prod m80154 capmpwds2018 capmbat2 update
The DB agrees with user/pw/realm
DB cmusaslsecretCRAM-MD5 59B803D644BC84CF91230A8FFEA371A3421AE83003009232483A3FEF5B90BE6A
Commandline CRAM USER:HEX/UN 59B803D644BC84CF91230A8FFEA371A3421AE83003009232483A3FEF5B90BE6A
Failed m80154 /opt/app/scm/svn/binaries/svn_1.9.7/bin/svn --no-auth-cache --username m80154 --password capmpwds2018 list svn://SVN.HOST.DOMAIN:12000
svn: E170013: Unable to connect to a repository at URL 'svn://SVN.HOST.DOMAIN:12000'
svn: E170001: Authentication error from server: SASL(-13): authentication failure: incorrect digest response
$ksh ./add_user.sh:prod m80154 cApmpwds2018 capmbat2 update
The DB agrees with user/pw/realm
DB cmusaslsecretCRAM-MD5 9328603F62A27B23C3A01149D8CA97BB5885F9163C9498918FDD2223439EED26
Commandline CRAM USER:HEX/UN 9328603F62A27B23C3A01149D8CA97BB5885F9163C9498918FDD2223439EED26
Success m80154 - /opt/app/scm/svn/binaries/svn_1.9.7/bin/svn --no-auth-cache --username m80154 --password cApmpwds2018 list svn://SVN.HOST.DOMAIN:12000
-
Re: SVN E170001: Authentication error with specific user/realm/pw
combinations while many other work!
Posted by Nico Kadel-Garcia <nk...@gmail.com>.
Sorry, hit "send" too early on my previous note!
>> On 13.04.2018 19:55, NOCERA, ANDY wrote:
>>>
>>> Summary: SVN E170001: Authentication error with specific user/realm/pw
>>> combinations while many other work!
>>>
>>>
>>>
>>>
>>>
>>> Observations/Workarounds
>>>
>>>
>>>
>>> While there is a work around, by simply changing the password, we have
>>> an unusual reoccurring issue with some user/realm/password
>>> combinations. It’s a problem
>>>
>>> setting the same password to many repos.
>>>
>>>
>>>
>>> The issue shows up under both CRAM-MD5 and DIGEST-MD5, but not for the
>>> same user/realm/password.
>>>
>>>
>>>
>>>
>>>
>>> From and SVN perspective:
>>>
>>> How do I get svn/svnserve to log the hashed response so I can compare
>>> it outside of SASL and MYSQL.
I think you're going to hurt yourself. My working assumption is that
you've used a customized httpd configuration to manage authentication
through a MySQL back end, and the issue has nothing to do with
Subversion itself. It has to do with maintenance of that MySQL back
end. If possible, set up a test server to allow the same
authentication technology to access a simple testable website, even a
folder with just "index.html" in it, and test your password based
access to *that*, ideally with an entirely distinct user.
Mind you, storing passwords in MySQL is its own potential adventure.
It's useful, but many implementations have been quite poor. Why are
you doing this?
Also, are there other processes which may be uploading or modifing
passwords for your back end, and resetting them? Or is there a MySQL
cluster which has, perhaps, become split brain and keeps passing
around broken password rows in your MySQL database?
Re: SVN E170001: Authentication error with specific user/realm/pw
combinations while many other work!
Posted by Nico Kadel-Garcia <nk...@gmail.com>.
On Sat, Apr 14, 2018 at 6:51 AM, Branko Čibej <br...@apache.org> wrote:
> On 13.04.2018 19:55, NOCERA, ANDY wrote:
>>
>> Summary: SVN E170001: Authentication error with specific user/realm/pw
>> combinations while many other work!
>>
>>
>>
>>
>>
>> Observations/Workarounds
>>
>>
>>
>> While there is a work around, by simply changing the password, we have
>> an unusual reoccurring issue with some user/realm/password
>> combinations. It’s a problem
>>
>> setting the same password to many repos.
>>
>>
>>
>> The issue shows up under both CRAM-MD5 and DIGEST-MD5, but not for the
>> same user/realm/password.
>>
>>
>>
>>
>>
>> From and SVN perspective:
>>
>> How do I get svn/svnserve to log the hashed response so I can compare
>> it outside of SASL and MYSQL.
>>
>> I suspect our method to generate the hashed CRAM-MD5 and DIGEST-MD5
>> that we store in mysql has a bug, what is a good place to locate
>> source for this program.
>>
>
>
> Svnserve does not use a MySQL database for storing passwords or password
> hashes. So you either have a customized svnserve or a customized SASL
> library. You'll have to find out where those customizations came from.
> There is no such functionality in the Subversion code base.
>
> -- Brane
>
Re: SVN E170001: Authentication error with specific user/realm/pw
combinations while many other work!
Posted by Branko Čibej <br...@apache.org>.
On 13.04.2018 19:55, NOCERA, ANDY wrote:
>
> Summary: SVN E170001: Authentication error with specific user/realm/pw
> combinations while many other work!
>
>
>
>
>
> Observations/Workarounds
>
>
>
> While there is a work around, by simply changing the password, we have
> an unusual reoccurring issue with some user/realm/password
> combinations. It’s a problem
>
> setting the same password to many repos.
>
>
>
> The issue shows up under both CRAM-MD5 and DIGEST-MD5, but not for the
> same user/realm/password.
>
>
>
>
>
> From and SVN perspective:
>
> How do I get svn/svnserve to log the hashed response so I can compare
> it outside of SASL and MYSQL.
>
> I suspect our method to generate the hashed CRAM-MD5 and DIGEST-MD5
> that we store in mysql has a bug, what is a good place to locate
> source for this program.
>
Svnserve does not use a MySQL database for storing passwords or password
hashes. So you either have a customized svnserve or a customized SASL
library. You'll have to find out where those customizations came from.
There is no such functionality in the Subversion code base.
-- Brane