Bug#797216: libapache2-mod-svn: path based authentication fails with kerberos

2015-09-03 Thread Andreas Korsten 
* James McCoy wrote:
> Thanks.  One last thing.  Would you be able to perform the same test
> against a server running unstable's libapache2-mod-svn, apache2, etc.?

I had to install a new machine, hence the delay.

Another thing I noticed: If I replace "* =" by "* = r" (which in my case
means "any valid user") as the last line in the SVN authz file, "svn ls"
works.  I can't commit, though.

Andreas


|Running pre_send hooks
|compress: Initialization.
|compress: Initialization.
|Sending request headers:
|OPTIONS /svn-krb/${REPO} HTTP/1.1
|User-Agent: SVN/1.7.19 neon/0.29.6
|Keep-Alive:
|Connection: TE, Keep-Alive
|TE: trailers
|Host: ${FQDN}
|Content-Type: text/xml
|Accept-Encoding: gzip
|DAV: http://subversion.tigris.org/xmlns/dav/svn/depth
|DAV: http://subversion.tigris.org/xmlns/dav/svn/mergeinfo
|DAV: http://subversion.tigris.org/xmlns/dav/svn/log-revprops
|Content-Length: 104
|Accept-Encoding: gzip
|
|Sending request-line and headers:
|Doing DNS lookup on ${FQDN}...
|req: Connecting to ${IPv4}:443
|Sending request body:
|Body block (104 bytes):
|[]
|Request sent; retry is 0.
|[status-line] < HTTP/1.1 401 Unauthorized
|[hdr] Date: Thu, 03 Sep 2015 17:13:36 GMT
|Header Name: [date], Value: [Thu, 03 Sep 2015 17:13:36 GMT]
|[hdr] Server: Apache/2.4.16 (Debian)
|Header Name: [server], Value: [Apache/2.4.16 (Debian)]
|[hdr] Content-Length: 468
|Header Name: [content-length], Value: [468]
|[hdr] Keep-Alive: timeout=5, max=100
|Header Name: [keep-alive], Value: [timeout=5, max=100]
|[hdr] Connection: Keep-Alive
|Header Name: [connection], Value: [Keep-Alive]
|[hdr] Content-Type: text/html; charset=iso-8859-1
|Header Name: [content-type], Value: [text/html; charset=iso-8859-1]
|[hdr]
|End of headers.
|Running post_headers hooks
|Reading 468 bytes of response body.
|Got 468 bytes.
|Read block (468 bytes):
|[
|
|401 Unauthorized
|
|Unauthorized
|This server could not verify that you
|are authorized to access the document
|requested.  Either you supplied the wrong
|credentials (e.g., bad password), or your
|browser doesn't understand how to supply
|the credentials required.
|
|Apache/2.4.16 (Debian) Server at ${FQDN} Port 443
|
|]
|Running post_send hooks
|Request ends, status 401 class 4xx, error line:
|401 Unauthorized
|Running destroy hooks.
|Request ends.
|svn: E175002: Unable to connect to a repository at URL 
'https://${FQDN}/svn-krb/${REPO}'
|svn: E175002: Server sent unexpected return value (401 Unauthorized) in 
response to OPTIONS request for 'https://${FQDN}/svn-krb/${REPO}'
|sess: Destroying session.
|sess: Destroying session.

Bug#797216: libapache2-mod-svn: path based authentication fails with kerberos

2015-09-03 Thread James McCoy 
On Thu, Sep 03, 2015 at 07:35:54PM +0200, Andreas Korsten wrote:
> * James McCoy wrote:
> > Thanks.  One last thing.  Would you be able to perform the same test
> > against a server running unstable's libapache2-mod-svn, apache2, etc.?
> 
> I had to install a new machine, hence the delay.

Understandable.  Thanks for taking the time to do that.  It's good to
see that the behavior is consistent with the official releases.

> Another thing I noticed: If I replace "* =" by "* = r" (which in my case
> means "any valid user") as the last line in the SVN authz file, "svn ls"
> works.  I can't commit, though.

Interesting.  Thanks for all the debugging.  Hopefully this will be a
good basis for the svn devs to start with.

Cheers,
-- 
James
GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy

Bug#797216: libapache2-mod-svn: path based authentication fails with kerberos

2015-09-01 Thread James McCoy 
On Tue, Sep 01, 2015 at 04:47:33PM +0200, Andreas Korsten wrote:
> * James McCoy wrote:
> > With the 1.7 client, would you be able to provide the (sanitized) output
> > of “svn --config-option servers:global:neon-debug-mask=130 ls
> > https://${FQDN}/svn-krb/${REPO}” with both the pre-upgrade server and
> > the post-upgrade server?
> 
> Here we go.  Not very sanitized, I'm afraid.

Thanks.  One last thing.  Would you be able to perform the same test
against a server running unstable's libapache2-mod-svn, apache2, etc.?

That would help determine whether or not this is an issue with the
backports of the security fixes.

Cheers,
-- 
James
GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy 


signature.asc
Description: Digital signature

Bug#797216: libapache2-mod-svn: path based authentication fails with kerberos

2015-09-01 Thread Andreas Korsten 
* James McCoy wrote:
> With the 1.7 client, would you be able to provide the (sanitized) output
> of “svn --config-option servers:global:neon-debug-mask=130 ls
> https://${FQDN}/svn-krb/${REPO}” with both the pre-upgrade server and
> the post-upgrade server?

Here we go.  Not very sanitized, I'm afraid.


Cheers,
Andreas


Post-upgrade:
|Running pre_send hooks
|compress: Initialization.
|compress: Initialization.
|Sending request headers:
|OPTIONS /svn-krb/${REPO} HTTP/1.1
|User-Agent: SVN/1.7.19 neon/0.29.6
|Keep-Alive:
|Connection: TE, Keep-Alive
|TE: trailers
|Host: ${FQDN}
|Content-Type: text/xml
|Accept-Encoding: gzip
|DAV: http://subversion.tigris.org/xmlns/dav/svn/depth
|DAV: http://subversion.tigris.org/xmlns/dav/svn/mergeinfo
|DAV: http://subversion.tigris.org/xmlns/dav/svn/log-revprops
|Content-Length: 104
|Accept-Encoding: gzip
|
|Sending request-line and headers:
|Doing DNS lookup on ${FQDN}...
|req: Connecting to ${IPv6}
|Sending request body:
|Body block (104 bytes):
|[]
|Request sent; retry is 0.
|[status-line] < HTTP/1.1 401 Unauthorized
|[hdr] Date: Tue, 01 Sep 2015 13:53:51 GMT
|Header Name: [date], Value: [Tue, 01 Sep 2015 13:53:51 GMT]
|[hdr] Server: Apache/2.4.10 (Debian)
|Header Name: [server], Value: [Apache/2.4.10 (Debian)]
|[hdr] Content-Length: 465
|Header Name: [content-length], Value: [465]
|[hdr] Keep-Alive: timeout=5, max=100
|Header Name: [keep-alive], Value: [timeout=5, max=100]
|[hdr] Connection: Keep-Alive
|Header Name: [connection], Value: [Keep-Alive]
|[hdr] Content-Type: text/html; charset=iso-8859-1
|Header Name: [content-type], Value: [text/html; charset=iso-8859-1]
|[hdr]
|End of headers.
|Running post_headers hooks
|Reading 465 bytes of response body.
|Got 465 bytes.
|Read block (465 bytes):
|[
|
|401 Unauthorized
|
|Unauthorized
|This server could not verify that you
|are authorized to access the document
|requested.  Either you supplied the wrong
|credentials (e.g., bad password), or your
|browser doesn't understand how to supply
|the credentials required.
|
|Apache/2.4.10 (Debian) Server at ${FQDN} Port 443
|
|]
|Running post_send hooks
|Request ends, status 401 class 4xx, error line:
|401 Unauthorized
|Running destroy hooks.
|Request ends.
|svn: E175002: Unable to connect to a repository at URL 
'https://${FQDN}/svn-krb/${REPO}'
|svn: E175002: Server sent unexpected return value (401 Unauthorized) in 
response to OPTIONS request for 'https://${FQDN}/svn-krb/${REPO}'
|sess: Destroying session.
|sess: Destroying session.

Pre-upgrade:
|Running pre_send hooks
|compress: Initialization.
|compress: Initialization.
|Sending request headers:
|OPTIONS /svn-krb/${REPO} HTTP/1.1
|User-Agent: SVN/1.7.19 neon/0.29.6
|Keep-Alive: 
|Connection: TE, Keep-Alive
|TE: trailers
|Host: ${FQDN}
|Content-Type: text/xml
|Accept-Encoding: gzip
|DAV: http://subversion.tigris.org/xmlns/dav/svn/depth
|DAV: http://subversion.tigris.org/xmlns/dav/svn/mergeinfo
|DAV: http://subversion.tigris.org/xmlns/dav/svn/log-revprops
|Content-Length: 104
|Accept-Encoding: gzip
|
|Sending request-line and headers:
|Doing DNS lookup on ${FQDN}...
|req: Connecting to ${IPv4}
|Sending request body:
|Body block (104 bytes):
|[]
|Request sent; retry is 0.
|[status-line] < HTTP/1.1 401 Unauthorized
|[hdr] Date: Tue, 01 Sep 2015 13:55:17 GMT
|Header Name: [date], Value: [Tue, 01 Sep 2015 13:55:17 GMT]
|[hdr] Server: Apache/2.4.10 (Debian)
|Header Name: [server], Value: [Apache/2.4.10 (Debian)]
|[hdr] WWW-Authenticate: Negotiate
|Header Name: [www-authenticate], Value: [Negotiate]
|[hdr] WWW-Authenticate: Basic realm="Fnord Login"
|Header Name: [www-authenticate], Value: [Basic realm="Fnord Login"]
|[hdr] Content-Length: 465
|Header Name: [content-length], Value: [465]
|[hdr] Keep-Alive: timeout=5, max=100
|Header Name: [keep-alive], Value: [timeout=5, max=100]
|[hdr] Connection: Keep-Alive
|Header Name: [connection], Value: [Keep-Alive]
|[hdr] Content-Type: text/html; charset=iso-8859-1
|Header Name: [content-type], Value: [text/html; charset=iso-8859-1]
|[hdr] 
|End of headers.
|Running post_headers hooks
|Reading 465 bytes of response body.
|Got 465 bytes.
|Read block (465 bytes):
|[
|
|401 Unauthorized
|
|Unauthorized
|This server could not verify that you
|are authorized to access the document
|requested.  Either you supplied the wrong
|credentials (e.g., bad password), or your
|browser doesn't understand how to supply
|the credentials required.
|
|Apache/2.4.10 (Debian) Server at ${FQDN} Port 443
|
|]
|Running post_send hooks
|Running pre_send hooks
|compress: Initialization.
|compress: Initialization.
|Sending request headers:
|OPTIONS /svn-krb/${REPO} HTTP/1.1
|User-Agent: SVN/1.7.19 neon/0.29.6
|Keep-Alive: 
|Connection: TE, Keep-Alive
|TE: trailers
|Host: ${FQDN}
|Content-Type: text/xml
|Accept-Encoding: gzip
|DAV: http://subversion.tigris.org/xmlns/dav/svn/depth
|DAV: http://subversion.tigris.org/xmlns/dav/svn/mergeinfo
|DAV: http://subversion.tigris.org/xmlns/dav/svn/log-revprops
|Content-Length:

Bug#797216: libapache2-mod-svn: path based authentication fails with kerberos

2015-08-31 Thread James McCoy 
On Mon, Aug 31, 2015 at 04:09:25PM +0200, Andreas Korsten wrote:
> * James McCoy wrote:
> > As shown in the working example, an initial 401 is expected.  The client
> > should retry with the auth.  The question is why that isn't happening.
> > 
> > What does “svn --version” show?
> 
> All clients I tried showed the same behaviour.  The first one was:

Ok, so it's not a neon-specific issue.

> Apache access log:
> 
> |${CLIENT_IP} - - [31/Aug/2015:15:37:41 +0200] "OPTIONS /svn-krb/${REPO} 
> HTTP/1.1" 401 5444 "-" "SVN/1.8.10 (x86_64-pc-linux-gnu) serf/1.3.8"
> 
> Client output:
> 
> |svn: E120190: Unable to connect to a repository at URL 
> 'https://${FQDN}/svn-krb/${REPO}'
> |svn: E120190: Error running context: An error occurred during authentication

With the 1.7 client, would you be able to provide the (sanitized) output
of “svn --config-option servers:global:neon-debug-mask=130 ls
https://${FQDN}/svn-krb/${REPO}” with both the pre-upgrade server and
the post-upgrade server?

Hopefully that will shed some light on why the client isn't retrying
with authentication.

Cheers,
-- 
James
GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy 


signature.asc
Description: Digital signature

Bug#797216: libapache2-mod-svn: path based authentication fails with kerberos

2015-08-31 Thread Andreas Korsten 
* James McCoy wrote:
> As shown in the working example, an initial 401 is expected.  The client
> should retry with the auth.  The question is why that isn't happening.
> 
> What does “svn --version” show?

All clients I tried showed the same behaviour.  The first one was:

|svn, version 1.7.19 (r1643991)
|   compiled Jun 17 2015, 13:48:11
|
|Copyright (C) 2014 The Apache Software Foundation.
|This software consists of contributions made by many people; see the NOTICE
|file for more information.
|Subversion is open source software, see http://subversion.apache.org/
|
|The following repository access (RA) modules are available:
|
|* ra_neon : Module for accessing a repository via WebDAV protocol using Neon.
|  - handles 'http' scheme
|  - handles 'https' scheme
|* ra_svn : Module for accessing a repository using the svn network protocol.
|  - handles 'svn' scheme
|* ra_local : Module for accessing a repository on local disk.
|  - handles 'file' scheme
|* ra_serf : Module for accessing a repository via WebDAV protocol using serf.
|  - handles 'http' scheme
|  - handles 'https' scheme

Then the one that comes with jessie, but before the security upgrade:

|svn, version 1.8.10 (r1615264)
|   compiled Apr  1 2015, 02:54:56 on x86_64-pc-linux-gnu
|
|Copyright (C) 2014 The Apache Software Foundation.
|This software consists of contributions made by many people;
|see the NOTICE file for more information.
|Subversion is open source software, see http://subversion.apache.org/
|
|The following repository access (RA) modules are available:
|
|* ra_svn : Module for accessing a repository using the svn network protocol.
|  - with Cyrus SASL authentication
|  - handles 'svn' scheme
|* ra_local : Module for accessing a repository on local disk.
|  - handles 'file' scheme
|* ra_serf : Module for accessing a repository via WebDAV protocol using serf.
|  - using serf 1.3.8
|  - handles 'http' scheme
|  - handles 'https' scheme> 

And finally the one after the security upgrade:

|svn, version 1.8.10 (r1615264)
|   compiled Aug  9 2015, 13:48:39 on x86_64-pc-linux-gnu
|
|Copyright (C) 2014 The Apache Software Foundation.
|This software consists of contributions made by many people;
|see the NOTICE file for more information.
|Subversion is open source software, see http://subversion.apache.org/
|
|The following repository access (RA) modules are available:
|
|* ra_svn : Module for accessing a repository using the svn network protocol.
|  - with Cyrus SASL authentication
|  - handles 'svn' scheme
|* ra_local : Module for accessing a repository on local disk.
|  - handles 'file' scheme
|* ra_serf : Module for accessing a repository via WebDAV protocol using serf.
|  - using serf 1.3.8
|  - handles 'http' scheme
|  - handles 'https' scheme

Apache access log:

|${CLIENT_IP} - - [31/Aug/2015:15:37:41 +0200] "OPTIONS /svn-krb/${REPO} 
HTTP/1.1" 401 5444 "-" "SVN/1.8.10 (x86_64-pc-linux-gnu) serf/1.3.8"

Client output:

|svn: E120190: Unable to connect to a repository at URL 
'https://${FQDN}/svn-krb/${REPO}'
|svn: E120190: Error running context: An error occurred during authentication

BTW: With libapache2-mod-auth-gssapi I get the same error message.
However, with the older SVN packages, the apache access log looks good
(after failed anonymous access it authenticates, successfully), but the
clients just outputs nothing and exits zero.  The apache error log says
"Sessions not available, no cookies!".  I have sessions enabled, but
maybe I'm missing something.  I'm just mentioning this because it might
be related to the original problem.


Best,
Andreas

Bug#797216: libapache2-mod-svn: path based authentication fails with kerberos

2015-08-28 Thread Andreas Korsten 
Package: libapache2-mod-svn
Version: 1.8.10-6+deb8u1
Severity: important

Dear Maintainer,

after the recent security upgrade, kerberos authentication no longer
works with libapache2-mod-auth-kerb (it never worked with
libapache2-mod-auth-gssapi).


Apache configuration:

Location /svn-krb
DAV svn
SVNParentPath /srv/svn/repos
AuthzSVNReposRelativeAccessFile authz

AuthName Fnord Login
AuthType Kerberos
KrbServiceName HTTP/${FQDN}@${REALM}
KrbMethodNegotiate on
KrbMethodK5Passwd on
Krb5Keytab /etc/apache2/krb5.keytab
KrbAuthRealms ${REALM}
KrbLocalUserMapping on

###Satisfy Any never worked with mod_auth_kerb
Require valid-user
/Location


Output of the svn client:

% svn ls https://${FQDN}/svn-krb/${REPO}
svn: E175002: Unable to connect to a repository at URL 
'https://${FQDN}/svn-krb/${REPO}'
svn: E175002: Server sent unexpected return value (401 Unauthorized) in 
response to OPTIONS request for 'https://${FQDN}/svn-krb/${REPO}'

Apache access log (error log is empty):

${CLIENT_IP} - - [28/Aug/2015:16:41:42 +0200] OPTIONS /svn-krb/${REPO} 
HTTP/1.1 401 5906 - SVN/1.7.19 neon/0.29.6


With the former (working) version, the logs look like the following:

Apache access:
${CLIENT_IP} - - [28/Aug/2015:16:30:39 +0200] OPTIONS /svn-krb/${REPO} 
HTTP/1.1 401 5970 - SVN/1.7.19 neon/0.29.6
${CLIENT_IP} - ${USER} [28/Aug/2015:16:30:39 +0200] OPTIONS /svn-krb/${REPO} 
HTTP/1.1 200 2191 - SVN/1.7.19 neon/0.29.6
${CLIENT_IP} - - [28/Aug/2015:16:30:39 +0200] OPTIONS /svn-krb/${REPO} 
HTTP/1.1 401 778 - SVN/1.7.19 neon/0.29.6
${CLIENT_IP} - ${USER} [28/Aug/2015:16:30:39 +0200] OPTIONS /svn-krb/${REPO} 
HTTP/1.1 200 2127 - SVN/1.7.19 neon/0.29.6
[...]

Apache error:
[Fri Aug 28 16:30:39.564926 2015] [authz_svn:info] [pid 2400:tid 
140422601058048] [client ${CLIENT_IP}:62991] Access granted: '${USER}' OPTIONS 
${REPO}:/
[Fri Aug 28 16:30:39.576384 2015] [authz_svn:info] [pid 2400:tid 
140422420596480] [client ${CLIENT_IP}:62991] Access granted: '${USER}' OPTIONS 
${REPO}:/
[Fri Aug 28 16:30:39.586857 2015] [authz_svn:info] [pid 2400:tid 
140422454167296] [client ${CLIENT_IP}:62991] Access granted: '${USER}' PROPFIND 
${REPO}:/
[Fri Aug 28 16:30:39.593162 2015] [authz_svn:info] [pid 2400:tid 
140422454167296] [client ${CLIENT_IP}:62991] Access granted: '${USER}' GET 
${REPO}:/
[Fri Aug 28 16:30:39.599267 2015] [authz_svn:info] [pid 2400:tid 
140422454167296] [client ${CLIENT_IP}:62991] Access granted: '${USER}' GET 
${REPO}:/
[...]


-- System Information:
Debian Release: 8.1
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libapache2-mod-svn depends on:
ii  apache2-bin [apache2-api-20120211]  2.4.10-10+deb8u1
ii  libc6   2.19-18
ii  libsvn1 1.8.10-6+deb8u1

libapache2-mod-svn recommends no packages.

Versions of packages libapache2-mod-svn suggests:
pn  db5.3-util  none

-- no debconf information

Bug#797216: libapache2-mod-svn: path based authentication fails with kerberos

2015-08-28 Thread James McCoy 
On Fri, Aug 28, 2015 at 05:48:29PM +0200, Andreas Korsten wrote:
 after the recent security upgrade, kerberos authentication no longer
 works with libapache2-mod-auth-kerb (it never worked with
 libapache2-mod-auth-gssapi).
 
 Output of the svn client:
 
 % svn ls https://${FQDN}/svn-krb/${REPO}
 svn: E175002: Unable to connect to a repository at URL 
 'https://${FQDN}/svn-krb/${REPO}'
 svn: E175002: Server sent unexpected return value (401 Unauthorized) in 
 response to OPTIONS request for 'https://${FQDN}/svn-krb/${REPO}'
 
 Apache access log (error log is empty):
 
 ${CLIENT_IP} - - [28/Aug/2015:16:41:42 +0200] OPTIONS /svn-krb/${REPO} 
 HTTP/1.1 401 5906 - SVN/1.7.19 neon/0.29.6

As shown in the working example, an initial 401 is expected.  The client
should retry with the auth.  The question is why that isn't happening.

What does “svn --version” show?

Would you be able to perform tests on both the upgraded
libapache2-mod-svn and the pre-upgrade version?

Cheers,
-- 
James
GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy james...@debian.org


signature.asc
Description: Digital signature