Enable sasl authentication for subversion
Introduction
This document describes how to enable sasl2 authentication for subversion, thus avoiding having to send plain text passwords over the internet.
Procedure
First make sure that the required packages are installed:
zypper in cyrus-sasl cyrus-sasl-digestmd5
Now you create the repository like always:
svnadmin create /srv/svn/repos/<repo>
And make sure the subversion user has sufficient access
chown -R svn:svn /srv/svn/repos/<repo>
Then in /srv/svn/repos/<repo>/conf/ edit the file svnserve.conf. Below are the relevant lines of this file:
[general] anon-access = none auth-access = write realm = subversion [sasl] use-sasl = true min-encryption = 128 max-encryption = 256
Create the file /etc/sasl2/svn.conf with the content below:
pwcheck_method: auxprop auxprop_plugin: sasldb sasldb_path: /srv/svn/passwddb mech_list: DIGEST-MD5
Create a user for sasl2 authentication with subversion:
saslpasswd2 -c -f /srv/svn/passwddb -u subversion <username>
Make sure that the realm specified with the "-u" parameter matches with the realm specified in svnserve.conf. You can check this by running:
sasldblistusers2 /srv/svn/passwddb
The output looks something like this:
<username>@subversion: userPassword
Normally the svn user does not have sufficient rights to read the sasl2 password database, so we set an ACL on it to fix this:
setfacl -m u:svn:r /srv/svn/passwddb
Finally restart the subversion server:
systemctl restart svnserve
Now from a client do a checkout of the repository. You should be able to login with the username / password you created earlier.