You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Yves Martin <yv...@elca.ch> on 2006/11/28 15:09:52 UTC
Client authentication with Kerberos ticket
Hello,
I'm currently deploying Subversion (1.2.3 on Debian Linux server)
with Apache2/mod_dav/svn/mod_auth_krb
and a svn client in version 1.4.2 (Linux)
If I allow kerberos password (KrbMethodK5Passwd on)
it works but the client asks me for the password each time.
If I disable kerberos password (KrbMethodK5Passwd on)
with KrbMethodNegotiate on,
the client fails directly without trying my ticket, just
successfully created with kinit (checked with klist).
I have found no tutorial or FAQ concerning svn+kerberos+ticket
With neon debug messages enabled, but it does not help me (see below).
I have compiled neon lib (client) with gssapi. But is it enough ?
Thank you for any hint to get svn and Kerberos working together
(either with a ticket or my password cached - but I prefer the ticket)
User-Agent: SVN/1.4.2 (r22196) neon/0.25.5
Keep-Alive:
Connection: TE, Keep-Alive
TE: trailers
Content-Length: 300
Content-Type: text/xml
Depth: 0
Accept-Encoding: gzip
Accept-Encoding: gzip
Sending request-line and headers:
Connecting to IP
Sending request body:
Body block (300 bytes):
[<?xml version="1.0" encoding="utf-8"?><propfind
xmlns="DAV:"><prop><version-controlled-configuration
xmlns="DAV:"/><resourcetype xmlns=
"DAV:"/><baseline-relative-path
xmlns="http://subversion.tigris.org/xmlns/dav/"/><repository-uuid
xmlns="http://subversion.tigris.org/xm
lns/dav/"/></prop></propfind>]
Request sent; retry is 0.
[status-line] < HTTP/1.1 401 Authorization Required
[hdr] Date: Tue, 28 Nov 2006 11:34:26 GMT
Header Name: [date], Value: [Tue, 28 Nov 2006 11:34:26 GMT]
[hdr] Server: Apache/2.0.54 (Debian GNU/Linux) mod_auth_kerb/5.0-rc6
DAV/2 SVN/1.2.3 PHP/4.3.10-18
Header Name: [server], Value: [Apache/2.0.54 (Debian GNU/Linux)
mod_auth_kerb/5.0-rc6 DAV/2 SVN/1.2.3 PHP/4.3.10-18]
[hdr] WWW-Authenticate: Negotiate
Header Name: [www-authenticate], Value: [Negotiate]
[hdr] Content-Length: 401
Header Name: [content-length], Value: [401]
[hdr] Keep-Alive: timeout=15, max=100
Header Name: [keep-alive], Value: [timeout=15, max=100]
[hdr] Connection: Keep-Alive
Header Name: [connection], Value: [Keep-Alive]
[hdr] Content-Type: text/html; charset=iso-8859-1
Header Name: [content-type], Value: [text/html; charset=iso-8859-1]
[hdr]
End of headers.
Reading 401 bytes of response body.
Got 401 bytes.
Read block (401 bytes):
[<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>
]
Running post_send hooks
Request ends, status 401 class 4xx, error line:
401 Authorization Required
Running destroy hooks.
Request ends.
svn: PROPFIND request failed on '/svn/test/Trunk'
svn: PROPFIND of '/svn/test/Trunk': authorization failed (http://HOST)
ne_session_destroy called.
ne_session_destroy called.
--
Yves Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Client authentication with Kerberos ticket
Posted by Samay <ge...@hotmail.com>.
> Why ? Is GSSAPI over http less secure than Basic over http ?
>
GSSAPI (SPNego) is lot more secure thn Basic method when used over HTTP. As
username/password never travels on the wire. Payload is in clear
irrespective of the method. I fail to see logic to restrict SPNego/GSSAPI to
HTTPS only!
..L8rz!
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Client authentication with Kerberos ticket
Posted by Yves Martin <yv...@elca.ch>.
On Fri, 2006-12-22 at 06:16 +1100, Samay wrote:
> >
> > BUT
> > . TurtoiseSVN 1.4.1 simply crashes !
> > . svn Win32 1.4.2 command line also crashes ?
> it’s a known problem. Try using Tortoise 1.4.0 r7501 ... SVN windows command
> line does not work with SPNego since version 1.4 if compiled with Neon
> 0.26.x ... works fine if compiled with Neon 0.25.5 ... probably due to some
> API changes or something. Search the mailing list archives for past
> discussion on this one.
Thank you for this information. I have spent so much time to configure
the Apache2 server to do SPNEGO with Kerberos that I was really upset
by such a crash.
It will not be easy to explain users to use a previous version because
the official release does not support the protocol I have chosen...
Is it possible to find a compiled version of command client 1.4.2 and
turtoisesvn 1.4.1 with neon 0.25 that supports SPNEGO ?
[ I know how to compile on Linux - but not on win32 ]
Regards,
--
Yves Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Client authentication with Kerberos ticket
Posted by Steinar Bang <sb...@dod.no>.
>>>>> Yves Martin <yv...@elca.ch>:
> In fact, Tortoise 1.4.0 works properly only if the URL uses the
> server canonical name and not my virtual hostname which a DNS alias
> (CNAME).
> I think it is a bug already corrected in the next neon version.
One kerb problem I've had with kerb in Win2k domains, is with DNS
"ghosts".
Ie. where the reverse DNS for the client comes up with more more than
one FQDN, and the one listed first isn't the FQDN the machine believes
it has (and has requested tickets for). It's the FQDN of some
previous DHCP lease holder for that particular IP address.
It doesn't seem to be a problem when communicating with the domain
controller, but it has been a problem when accessing HTTP servers
(both IIS and apache/kerb).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Client authentication with Kerberos ticket
Posted by Yves Martin <yv...@elca.ch>.
On Fri, 2006-12-22 at 13:37 +0100, Yves Martin wrote:
> On Fri, 2006-12-22 at 06:16 +1100, Samay wrote:
> > >
> > > BUT
> > > . TurtoiseSVN 1.4.1 simply crashes !
> > > . svn Win32 1.4.2 command line also crashes ?
> >
> > it’s a known problem. Try using Tortoise 1.4.0 r7501 ... SVN windows command
> > line does not work with SPNego since version 1.4 if compiled with Neon
> > 0.26.x ... works fine if compiled with Neon 0.25.5 ... probably due to some
> > API changes or something. Search the mailing list archives for past
> > discussion on this one.
>
> I tried Tortoise 1.4.0 but it sends a SPNEGO / NTLM ticket
> (without crashing, that is better) whereas 1.4.1 sends properly a
> SPNEGO / GSSAPI ticket but crashs.
In fact, Tortoise 1.4.0 works properly only if the URL uses the
server canonical name and not my virtual hostname which a DNS alias
(CNAME).
I think it is a bug already corrected in the next neon version.
Merry Christmas
--
Yves Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Client authentication with Kerberos ticket
Posted by Yves Martin <yv...@elca.ch>.
On Fri, 2006-12-22 at 06:16 +1100, Samay wrote:
> >
> > BUT
> > . TurtoiseSVN 1.4.1 simply crashes !
> > . svn Win32 1.4.2 command line also crashes ?
>
> it’s a known problem. Try using Tortoise 1.4.0 r7501 ... SVN windows command
> line does not work with SPNego since version 1.4 if compiled with Neon
> 0.26.x ... works fine if compiled with Neon 0.25.5 ... probably due to some
> API changes or something. Search the mailing list archives for past
> discussion on this one.
I tried Tortoise 1.4.0 but it sends a SPNEGO / NTLM ticket
(without crashing, that is better) whereas 1.4.1 sends properly a
SPNEGO / GSSAPI ticket but crashs.
[Fri Dec 22 11:59:00 2006] [debug] src/mod_auth_kerb.c(1194): [client
10.10.80.225] Warning: received token seems to be NTLM, which isn'
t supported by the Kerberos module. Check your IE configuration.
[Fri Dec 22 11:59:00 2006] [error] [client 10.10.80.225]
gss_accept_sec_context() failed: A token was invalid (Token header is
malformed
or corrupt)
Have you got another option ? Does JavaSVN support SPNEGO/GSSAPI ?
--
Yves Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Client authentication with Kerberos ticket
Posted by Samay <ge...@hotmail.com>.
>
> BUT
> . TurtoiseSVN 1.4.1 simply crashes !
> . svn Win32 1.4.2 command line also crashes ?
>
it’s a known problem. Try using Tortoise 1.4.0 r7501 ... SVN windows command
line does not work with SPNego since version 1.4 if compiled with Neon
0.26.x ... works fine if compiled with Neon 0.25.5 ... probably due to some
API changes or something. Search the mailing list archives for past
discussion on this one.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Client authentication with Kerberos ticket
Posted by Yves Martin <yv...@elca.ch>.
> For the moment, I configure https to get ticket authentication,
> but I'm afraid of performance.
Server configuration is over.
. IE is authenticated properly with SPNEGO
. svn Linux client also (after klist and kvno)
If I use the svn win32 client 1.3.2 - it works with tickets !
My Linux server uses svn 1.3.2 too.
BUT
. TurtoiseSVN 1.4.1 simply crashes !
. svn Win32 1.4.2 command line also crashes ?
And the Apache2 access log is OK: IP, user, action, path, svn 1.4.2
10.10.80.225 - yma@ELCA.CH [21/Dec/2006:14:03:20 +0100]
"PROPFIND /subversion/PROJ/trunk HTTP/1.1" 207 720 "-" "SVN/1.4.2 (r22
196) neon/0.26.1"
So that is not a server or kerberos issue...
[Thu Dec 21 14:03:20 2006] [debug] src/mod_auth_kerb.c(1023): [client
10.10.80.225] Acquiring creds for HTTP/srv11590.elca.ch@ELCA.CH
[Thu Dec 21 14:03:20 2006] [debug] src/mod_auth_kerb.c(1152): [client
10.10.80.225] Verifying client data using SPNEGO GSS-API
[Thu Dec 21 14:03:20 2006] [debug] src/mod_auth_kerb.c(1168): [client
10.10.80.225] Verification returned code 0
[Thu Dec 21 14:03:20 2006] [debug] src/mod_auth_kerb.c(1186): [client
10.10.80.225] GSS-API token of length 0 bytes will be sent back
[Thu Dec 21 14:03:27 2006]
[debug] /home/skx/apache2-2.0.54/build-tree/apache2/modules/ssl/ssl_engine_io.c(1522): OpenSSL: I/O error, 5
bytes expected to read on BIO#894d988 [mem: 89a2af0]
[Thu Dec 21 14:03:27 2006] [info] (104)Connection reset by peer: SSL
input filter read failed.
What may be wrong now with TurtoiseSVN 1.4.1 on Windows 2000 SP 4 ?
I have submitted the crash report...
Thank you in advance for your help
--
Yves Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Client authentication with Kerberos ticket
Posted by Yves Martin <yv...@elca.ch>.
On Thu, 2006-12-21 at 20:44 +1100, Samay wrote:
> GSSAPI (SPNego) is lot more secure thn Basic method when used over
> HTTP. As
> username/password never travels on the wire. Payload is in clear
> irrespective of the method. I fail to see logic to restrict
> SPNego/GSSAPI to
> HTTPS only!
I'm glad to here that.
On Thu, 2006-12-21 at 10:04 +0100, Steinar Bang wrote:
> >>>>> "D.J. Heap" <dj...@gmail.com>:
> Perhaps the reasoning is that when people wish to use a secure
> authentication method, they wish the entire traffic to be secure and
> should not be fooled to use an open transfer? (not a reasoning I would
> have made, but there you go) Or perhaps it is an artifact of the
> implementation? Ie. it was easier this way?
I think you're right. GSS code seems to re-use the SSL "context"...
For the moment, I configure https to get ticket authentication,
but I'm afraid of performance.
Regards
--
Yves Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Client authentication with Kerberos ticket
Posted by Steinar Bang <sb...@dod.no>.
>>>>> "D.J. Heap" <dj...@gmail.com>:
> On 12/20/06, Yves Martin <yv...@elca.ch> wrote:
>> BUT the GSSAPI/Negotiate is only tried with SSL ?
>> Why ? Is GSSAPI over http less secure than Basic over http ?
> I'm not an auth expert, but my understanding is that they are not
> really secure over http.
Kerb authentication using HTTP Negotiate over plain HTTP, is as secure
as kerb itself is, which is pretty secure. Authentication will be
secure. The traffic itself won't be secure, ie. the payload will go
in the clear.
Perhaps the reasoning is that when people wish to use a secure
authentication method, they wish the entire traffic to be secure and
should not be fooled to use an open transfer? (not a reasoning I would
have made, but there you go) Or perhaps it is an artifact of the
implementation? Ie. it was easier this way?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Client authentication with Kerberos ticket
Posted by "D.J. Heap" <dj...@gmail.com>.
On 12/20/06, Yves Martin <yv...@elca.ch> wrote:
[snip]
> The answer is yes (if SSL) but no (if not SSL) !
>
> Reading the code neon/src/ne_auth.c (around line 1050),
> the SSPI/Negotiate or SSPI/NTLM or Digest
> or Basic methods are tried whatever the http/https mode.
>
> BUT the GSSAPI/Negotiate is only tried with SSL ?
> Why ? Is GSSAPI over http less secure than Basic over http ?
>
I'm not an auth expert, but my understanding is that they are not
really secure over http. Why BASIC is allowed and the others are not
is because (I think) everyone knows that BASIC isn't secure, but the
others imply safety where there really isn't any.
In any case, the next major release of Subversion will include a
config option to turn them on over http if you really want to.
DJ
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Client authentication with Kerberos ticket
Posted by Yves Martin <yv...@elca.ch>.
On Wed, 2006-12-20 at 15:20 +0100, Yves Martin wrote:
> Now the SPNEGO seems to work between a IE navigator and
> my Apache2 server.
>
> But I still have troubles with svn clients:
> . TurtoiseSVN 1.4.1 / SVN 1.4.2 on Windows
> asks me for a user/password to do basic authentication
>
> . svn 1.4.2 command line on Linux also asks me for a password
> even after creating my principal ticket with kinit
> and the service ticket with kvno !
>
> Neon in debug mode 138 shows:
> Got new auth challenge: Negotiate, Basic realm="Domain Login"
> New 'Negotiate' challenge.
> New 'Basic' challenge.
> Got pair: [realm] = [Domain Login]
> Finished parsing parameters.
> Looking for Digest challenges.
> No good Digest challenges, looking for Basic.
> Got Basic challenge with realm [Domain Login]
> Is Neon supposed to work with Negotiate and Kerberos ?
The answer is yes (if SSL) but no (if not SSL) !
Reading the code neon/src/ne_auth.c (around line 1050),
the SSPI/Negotiate or SSPI/NTLM or Digest
or Basic methods are tried whatever the http/https mode.
BUT the GSSAPI/Negotiate is only tried with SSL ?
Why ? Is GSSAPI over http less secure than Basic over http ?
Thank you for your help
--
Yves Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Client authentication with Kerberos ticket
Posted by Yves Martin <yv...@elca.ch>.
On Tue, 2006-11-28 at 16:09 +0100, Yves Martin wrote:
> Hello,
>
> I'm currently deploying Subversion (1.2.3 on Debian Linux server)
> with Apache2/mod_dav/svn/mod_auth_krb
> and a svn client in version 1.4.2 (Linux)
>
> If I allow kerberos password (KrbMethodK5Passwd on)
> it works but the client asks me for the password each time.
>
> If I disable kerberos password (KrbMethodK5Passwd on)
> with KrbMethodNegotiate on,
> the client fails directly without trying my ticket, just
> successfully created with kinit (checked with klist).
>
> I have found no tutorial or FAQ concerning svn+kerberos+ticket
> With neon debug messages enabled, but it does not help me (see below).
> I have compiled neon lib (client) with gssapi. But is it enough ?
Hello,
The following Kerberos tutorial enables me to improve
my configuration:
http://www.grolmsnet.de/kerbtut/
Now the SPNEGO seems to work between a IE navigator and
my Apache2 server.
But I still have troubles with svn clients:
. TurtoiseSVN 1.4.1 / SVN 1.4.2 on Windows
asks me for a user/password to do basic authentication
. svn 1.4.2 command line on Linux also asks me for a password
even after creating my principal ticket with kinit
and the service ticket with kvno !
Neon in debug mode 138 shows:
Got new auth challenge: Negotiate, Basic realm="Domain Login"
New 'Negotiate' challenge.
New 'Basic' challenge.
Got pair: [realm] = [Domain Login]
Finished parsing parameters.
Looking for Digest challenges.
No good Digest challenges, looking for Basic.
Got Basic challenge with realm [Domain Login]
Why I want to avoid basic authentication ? Because I want to
avoid https for performance reason. And SPNEGO/Negotiate seems
to be the right path thanks to Kerberos tickets.
Is Neon supposed to work with Negotiate and Kerberos ?
My svn Linux client is properly compiled with GSS
$ grep GSS subversion-1.4.2/neon/config.h
/* Define if GSS_C_NT_HOSTBASED_SERVICE is not defined otherwise */
/* #undef GSS_C_NT_HOSTBASED_SERVICE */
/* Define if GSSAPI support is enabled */
#define HAVE_GSSAPI 1
#define HAVE_GSSAPI_GSSAPI_GENERIC_H 1
#define HAVE_GSSAPI_GSSAPI_H 1
/* #undef HAVE_GSSAPI_H */
#define HAVE_GSS_INIT_SEC_CONTEXT 1
Have you already experienced such configuration ?
Thank you in advance for any hint
--
Yves Martin - RP/Iliade - ADS / BL2
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org