Bug#797216: libapache2-mod-svn: path based authentication fails with kerberos

Andreas Korsten Fri, 28 Aug 2015 09:00:33 -0700

Package: libapache2-mod-svn
Version: 1.8.10-6+deb8u1
Severity: important

Dear Maintainer,


after the recent security upgrade, kerberos authentication no longer
works with libapache2-mod-auth-kerb (it never worked with
libapache2-mod-auth-gssapi).


Apache configuration:

<Location /svn-krb>
        DAV svn
        SVNParentPath /srv/svn/repos
        AuthzSVNReposRelativeAccessFile authz

        AuthName "Fnord Login"
        AuthType Kerberos
        KrbServiceName HTTP/${FQDN}@${REALM}
        KrbMethodNegotiate on
        KrbMethodK5Passwd on
        Krb5Keytab /etc/apache2/krb5.keytab
        KrbAuthRealms ${REALM}
        KrbLocalUserMapping on

        ###Satisfy Any never worked with mod_auth_kerb
        Require valid-user
</Location>


Output of the svn client:

% svn ls https://${FQDN}/svn-krb/${REPO}
svn: E175002: Unable to connect to a repository at URL 
'https://${FQDN}/svn-krb/${REPO}'
svn: E175002: Server sent unexpected return value (401 Unauthorized) in 
response to OPTIONS request for 'https://${FQDN}/svn-krb/${REPO}'

Apache access log (error log is empty):

${CLIENT_IP} - - [28/Aug/2015:16:41:42 +0200] "OPTIONS /svn-krb/${REPO} 
HTTP/1.1" 401 5906 "-" "SVN/1.7.19 neon/0.29.6"


With the former (working) version, the logs look like the following:

Apache access:
${CLIENT_IP} - - [28/Aug/2015:16:30:39 +0200] "OPTIONS /svn-krb/${REPO} 
HTTP/1.1" 401 5970 "-" "SVN/1.7.19 neon/0.29.6"
${CLIENT_IP} - ${USER} [28/Aug/2015:16:30:39 +0200] "OPTIONS /svn-krb/${REPO} 
HTTP/1.1" 200 2191 "-" "SVN/1.7.19 neon/0.29.6"
${CLIENT_IP} - - [28/Aug/2015:16:30:39 +0200] "OPTIONS /svn-krb/${REPO} 
HTTP/1.1" 401 778 "-" "SVN/1.7.19 neon/0.29.6"
${CLIENT_IP} - ${USER} [28/Aug/2015:16:30:39 +0200] "OPTIONS /svn-krb/${REPO} 
HTTP/1.1" 200 2127 "-" "SVN/1.7.19 neon/0.29.6"
[...]

Apache error:
[Fri Aug 28 16:30:39.564926 2015] [authz_svn:info] [pid 2400:tid 
140422601058048] [client ${CLIENT_IP}:62991] Access granted: '${USER}' OPTIONS 
${REPO}:/
[Fri Aug 28 16:30:39.576384 2015] [authz_svn:info] [pid 2400:tid 
140422420596480] [client ${CLIENT_IP}:62991] Access granted: '${USER}' OPTIONS 
${REPO}:/
[Fri Aug 28 16:30:39.586857 2015] [authz_svn:info] [pid 2400:tid 
140422454167296] [client ${CLIENT_IP}:62991] Access granted: '${USER}' PROPFIND 
${REPO}:/
[Fri Aug 28 16:30:39.593162 2015] [authz_svn:info] [pid 2400:tid 
140422454167296] [client ${CLIENT_IP}:62991] Access granted: '${USER}' GET 
${REPO}:/
[Fri Aug 28 16:30:39.599267 2015] [authz_svn:info] [pid 2400:tid 
140422454167296] [client ${CLIENT_IP}:62991] Access granted: '${USER}' GET 
${REPO}:/
[...]


-- System Information:
Debian Release: 8.1
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libapache2-mod-svn depends on:
ii  apache2-bin [apache2-api-20120211]  2.4.10-10+deb8u1
ii  libc6                               2.19-18
ii  libsvn1                             1.8.10-6+deb8u1

libapache2-mod-svn recommends no packages.

Versions of packages libapache2-mod-svn suggests:
pn  db5.3-util  <none>

-- no debconf information

Bug#797216: libapache2-mod-svn: path based authentication fails with kerberos

Reply via email to