Enable sasl authentication for subversion

Introduction

This document describes how to enable sasl2 authentication for subversion, thus avoiding having to send plain text passwords over the internet.

Procedure

First make sure that the required packages are installed:

zypper in cyrus-sasl cyrus-sasl-digestmd5

Now you create the repository like always:

svnadmin create /srv/svn/repos/<repo>

And make sure the subversion user has sufficient access

chown -R svn:svn /srv/svn/repos/<repo>

Then in /srv/svn/repos/<repo>/conf/ edit the file svnserve.conf. Below are the relevant lines of this file:

[general]
anon-access = none
auth-access = write
realm = subversion

[sasl]
use-sasl = true
min-encryption = 128
max-encryption = 256

Create the file /etc/sasl2/svn.conf with the content below:

pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /srv/svn/passwddb
mech_list: DIGEST-MD5

Create a user for sasl2 authentication with subversion:

saslpasswd2 -c -f /srv/svn/passwddb -u subversion <username>

Make sure that the realm specified with the "-u" parameter matches with the realm specified in svnserve.conf. You can check this by running:

sasldblistusers2 /srv/svn/passwddb

The output looks something like this:

<username>@subversion: userPassword

Normally the svn user does not have sufficient rights to read the sasl2 password database, so we set an ACL on it to fix this:

setfacl -m u:svn:r /srv/svn/passwddb

Update after upgrading to OpenSuSE 15.3

After upgrading to OpenSuSE 15.3 (from 15.2) authentication stopped working. In order to fix this, I had to recreate the users again. First, remove /srv/svn/passwddb and create the users again. Then set the acl on the following two files:

setfacl -m u:svn:r /srv/svn/passwddb.dir
setfacl -m u:svn:r /srv/svn/passwddb.pag

Finally restart the subversion server:

systemctl restart svnserve

Now from a client do a checkout of the repository. You should be able to login with the username / password you created earlier.