Bug#797216: libapache2-mod-svn: path based authentication fails with kerberos
* James McCoy wrote: > Thanks. One last thing. Would you be able to perform the same test > against a server running unstable's libapache2-mod-svn, apache2, etc.? I had to install a new machine, hence the delay. Another thing I noticed: If I replace "* =" by "* = r" (which in my case means "any valid user") as the last line in the SVN authz file, "svn ls" works. I can't commit, though. Andreas |Running pre_send hooks |compress: Initialization. |compress: Initialization. |Sending request headers: |OPTIONS /svn-krb/${REPO} HTTP/1.1 |User-Agent: SVN/1.7.19 neon/0.29.6 |Keep-Alive: |Connection: TE, Keep-Alive |TE: trailers |Host: ${FQDN} |Content-Type: text/xml |Accept-Encoding: gzip |DAV: http://subversion.tigris.org/xmlns/dav/svn/depth |DAV: http://subversion.tigris.org/xmlns/dav/svn/mergeinfo |DAV: http://subversion.tigris.org/xmlns/dav/svn/log-revprops |Content-Length: 104 |Accept-Encoding: gzip | |Sending request-line and headers: |Doing DNS lookup on ${FQDN}... |req: Connecting to ${IPv4}:443 |Sending request body: |Body block (104 bytes): |[] |Request sent; retry is 0. |[status-line] < HTTP/1.1 401 Unauthorized |[hdr] Date: Thu, 03 Sep 2015 17:13:36 GMT |Header Name: [date], Value: [Thu, 03 Sep 2015 17:13:36 GMT] |[hdr] Server: Apache/2.4.16 (Debian) |Header Name: [server], Value: [Apache/2.4.16 (Debian)] |[hdr] Content-Length: 468 |Header Name: [content-length], Value: [468] |[hdr] Keep-Alive: timeout=5, max=100 |Header Name: [keep-alive], Value: [timeout=5, max=100] |[hdr] Connection: Keep-Alive |Header Name: [connection], Value: [Keep-Alive] |[hdr] Content-Type: text/html; charset=iso-8859-1 |Header Name: [content-type], Value: [text/html; charset=iso-8859-1] |[hdr] |End of headers. |Running post_headers hooks |Reading 468 bytes of response body. |Got 468 bytes. |Read block (468 bytes): |[ | |401 Unauthorized | |Unauthorized |This server could not verify that you |are authorized to access the document |requested. Either you supplied the wrong |credentials (e.g., bad password), or your |browser doesn't understand how to supply |the credentials required. | |Apache/2.4.16 (Debian) Server at ${FQDN} Port 443 | |] |Running post_send hooks |Request ends, status 401 class 4xx, error line: |401 Unauthorized |Running destroy hooks. |Request ends. |svn: E175002: Unable to connect to a repository at URL 'https://${FQDN}/svn-krb/${REPO}' |svn: E175002: Server sent unexpected return value (401 Unauthorized) in response to OPTIONS request for 'https://${FQDN}/svn-krb/${REPO}' |sess: Destroying session. |sess: Destroying session.
Bug#797216: libapache2-mod-svn: path based authentication fails with kerberos
On Thu, Sep 03, 2015 at 07:35:54PM +0200, Andreas Korsten wrote: > * James McCoy wrote: > > Thanks. One last thing. Would you be able to perform the same test > > against a server running unstable's libapache2-mod-svn, apache2, etc.? > > I had to install a new machine, hence the delay. Understandable. Thanks for taking the time to do that. It's good to see that the behavior is consistent with the official releases. > Another thing I noticed: If I replace "* =" by "* = r" (which in my case > means "any valid user") as the last line in the SVN authz file, "svn ls" > works. I can't commit, though. Interesting. Thanks for all the debugging. Hopefully this will be a good basis for the svn devs to start with. Cheers, -- James GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy
Bug#797216: libapache2-mod-svn: path based authentication fails with kerberos
On Tue, Sep 01, 2015 at 04:47:33PM +0200, Andreas Korsten wrote: > * James McCoy wrote: > > With the 1.7 client, would you be able to provide the (sanitized) output > > of “svn --config-option servers:global:neon-debug-mask=130 ls > > https://${FQDN}/svn-krb/${REPO}” with both the pre-upgrade server and > > the post-upgrade server? > > Here we go. Not very sanitized, I'm afraid. Thanks. One last thing. Would you be able to perform the same test against a server running unstable's libapache2-mod-svn, apache2, etc.? That would help determine whether or not this is an issue with the backports of the security fixes. Cheers, -- James GPG Key: 4096R/331BA3DB 2011-12-05 James McCoysignature.asc Description: Digital signature
Bug#797216: libapache2-mod-svn: path based authentication fails with kerberos
* James McCoy wrote: > With the 1.7 client, would you be able to provide the (sanitized) output > of “svn --config-option servers:global:neon-debug-mask=130 ls > https://${FQDN}/svn-krb/${REPO}” with both the pre-upgrade server and > the post-upgrade server? Here we go. Not very sanitized, I'm afraid. Cheers, Andreas Post-upgrade: |Running pre_send hooks |compress: Initialization. |compress: Initialization. |Sending request headers: |OPTIONS /svn-krb/${REPO} HTTP/1.1 |User-Agent: SVN/1.7.19 neon/0.29.6 |Keep-Alive: |Connection: TE, Keep-Alive |TE: trailers |Host: ${FQDN} |Content-Type: text/xml |Accept-Encoding: gzip |DAV: http://subversion.tigris.org/xmlns/dav/svn/depth |DAV: http://subversion.tigris.org/xmlns/dav/svn/mergeinfo |DAV: http://subversion.tigris.org/xmlns/dav/svn/log-revprops |Content-Length: 104 |Accept-Encoding: gzip | |Sending request-line and headers: |Doing DNS lookup on ${FQDN}... |req: Connecting to ${IPv6} |Sending request body: |Body block (104 bytes): |[] |Request sent; retry is 0. |[status-line] < HTTP/1.1 401 Unauthorized |[hdr] Date: Tue, 01 Sep 2015 13:53:51 GMT |Header Name: [date], Value: [Tue, 01 Sep 2015 13:53:51 GMT] |[hdr] Server: Apache/2.4.10 (Debian) |Header Name: [server], Value: [Apache/2.4.10 (Debian)] |[hdr] Content-Length: 465 |Header Name: [content-length], Value: [465] |[hdr] Keep-Alive: timeout=5, max=100 |Header Name: [keep-alive], Value: [timeout=5, max=100] |[hdr] Connection: Keep-Alive |Header Name: [connection], Value: [Keep-Alive] |[hdr] Content-Type: text/html; charset=iso-8859-1 |Header Name: [content-type], Value: [text/html; charset=iso-8859-1] |[hdr] |End of headers. |Running post_headers hooks |Reading 465 bytes of response body. |Got 465 bytes. |Read block (465 bytes): |[ | |401 Unauthorized | |Unauthorized |This server could not verify that you |are authorized to access the document |requested. Either you supplied the wrong |credentials (e.g., bad password), or your |browser doesn't understand how to supply |the credentials required. | |Apache/2.4.10 (Debian) Server at ${FQDN} Port 443 | |] |Running post_send hooks |Request ends, status 401 class 4xx, error line: |401 Unauthorized |Running destroy hooks. |Request ends. |svn: E175002: Unable to connect to a repository at URL 'https://${FQDN}/svn-krb/${REPO}' |svn: E175002: Server sent unexpected return value (401 Unauthorized) in response to OPTIONS request for 'https://${FQDN}/svn-krb/${REPO}' |sess: Destroying session. |sess: Destroying session. Pre-upgrade: |Running pre_send hooks |compress: Initialization. |compress: Initialization. |Sending request headers: |OPTIONS /svn-krb/${REPO} HTTP/1.1 |User-Agent: SVN/1.7.19 neon/0.29.6 |Keep-Alive: |Connection: TE, Keep-Alive |TE: trailers |Host: ${FQDN} |Content-Type: text/xml |Accept-Encoding: gzip |DAV: http://subversion.tigris.org/xmlns/dav/svn/depth |DAV: http://subversion.tigris.org/xmlns/dav/svn/mergeinfo |DAV: http://subversion.tigris.org/xmlns/dav/svn/log-revprops |Content-Length: 104 |Accept-Encoding: gzip | |Sending request-line and headers: |Doing DNS lookup on ${FQDN}... |req: Connecting to ${IPv4} |Sending request body: |Body block (104 bytes): |[] |Request sent; retry is 0. |[status-line] < HTTP/1.1 401 Unauthorized |[hdr] Date: Tue, 01 Sep 2015 13:55:17 GMT |Header Name: [date], Value: [Tue, 01 Sep 2015 13:55:17 GMT] |[hdr] Server: Apache/2.4.10 (Debian) |Header Name: [server], Value: [Apache/2.4.10 (Debian)] |[hdr] WWW-Authenticate: Negotiate |Header Name: [www-authenticate], Value: [Negotiate] |[hdr] WWW-Authenticate: Basic realm="Fnord Login" |Header Name: [www-authenticate], Value: [Basic realm="Fnord Login"] |[hdr] Content-Length: 465 |Header Name: [content-length], Value: [465] |[hdr] Keep-Alive: timeout=5, max=100 |Header Name: [keep-alive], Value: [timeout=5, max=100] |[hdr] Connection: Keep-Alive |Header Name: [connection], Value: [Keep-Alive] |[hdr] Content-Type: text/html; charset=iso-8859-1 |Header Name: [content-type], Value: [text/html; charset=iso-8859-1] |[hdr] |End of headers. |Running post_headers hooks |Reading 465 bytes of response body. |Got 465 bytes. |Read block (465 bytes): |[ | |401 Unauthorized | |Unauthorized |This server could not verify that you |are authorized to access the document |requested. Either you supplied the wrong |credentials (e.g., bad password), or your |browser doesn't understand how to supply |the credentials required. | |Apache/2.4.10 (Debian) Server at ${FQDN} Port 443 | |] |Running post_send hooks |Running pre_send hooks |compress: Initialization. |compress: Initialization. |Sending request headers: |OPTIONS /svn-krb/${REPO} HTTP/1.1 |User-Agent: SVN/1.7.19 neon/0.29.6 |Keep-Alive: |Connection: TE, Keep-Alive |TE: trailers |Host: ${FQDN} |Content-Type: text/xml |Accept-Encoding: gzip |DAV: http://subversion.tigris.org/xmlns/dav/svn/depth |DAV: http://subversion.tigris.org/xmlns/dav/svn/mergeinfo |DAV: http://subversion.tigris.org/xmlns/dav/svn/log-revprops |Content-Length:
Bug#797216: libapache2-mod-svn: path based authentication fails with kerberos
On Mon, Aug 31, 2015 at 04:09:25PM +0200, Andreas Korsten wrote: > * James McCoy wrote: > > As shown in the working example, an initial 401 is expected. The client > > should retry with the auth. The question is why that isn't happening. > > > > What does “svn --version” show? > > All clients I tried showed the same behaviour. The first one was: Ok, so it's not a neon-specific issue. > Apache access log: > > |${CLIENT_IP} - - [31/Aug/2015:15:37:41 +0200] "OPTIONS /svn-krb/${REPO} > HTTP/1.1" 401 5444 "-" "SVN/1.8.10 (x86_64-pc-linux-gnu) serf/1.3.8" > > Client output: > > |svn: E120190: Unable to connect to a repository at URL > 'https://${FQDN}/svn-krb/${REPO}' > |svn: E120190: Error running context: An error occurred during authentication With the 1.7 client, would you be able to provide the (sanitized) output of “svn --config-option servers:global:neon-debug-mask=130 ls https://${FQDN}/svn-krb/${REPO}” with both the pre-upgrade server and the post-upgrade server? Hopefully that will shed some light on why the client isn't retrying with authentication. Cheers, -- James GPG Key: 4096R/331BA3DB 2011-12-05 James McCoysignature.asc Description: Digital signature
Bug#797216: libapache2-mod-svn: path based authentication fails with kerberos
* James McCoy wrote: > As shown in the working example, an initial 401 is expected. The client > should retry with the auth. The question is why that isn't happening. > > What does “svn --version” show? All clients I tried showed the same behaviour. The first one was: |svn, version 1.7.19 (r1643991) | compiled Jun 17 2015, 13:48:11 | |Copyright (C) 2014 The Apache Software Foundation. |This software consists of contributions made by many people; see the NOTICE |file for more information. |Subversion is open source software, see http://subversion.apache.org/ | |The following repository access (RA) modules are available: | |* ra_neon : Module for accessing a repository via WebDAV protocol using Neon. | - handles 'http' scheme | - handles 'https' scheme |* ra_svn : Module for accessing a repository using the svn network protocol. | - handles 'svn' scheme |* ra_local : Module for accessing a repository on local disk. | - handles 'file' scheme |* ra_serf : Module for accessing a repository via WebDAV protocol using serf. | - handles 'http' scheme | - handles 'https' scheme Then the one that comes with jessie, but before the security upgrade: |svn, version 1.8.10 (r1615264) | compiled Apr 1 2015, 02:54:56 on x86_64-pc-linux-gnu | |Copyright (C) 2014 The Apache Software Foundation. |This software consists of contributions made by many people; |see the NOTICE file for more information. |Subversion is open source software, see http://subversion.apache.org/ | |The following repository access (RA) modules are available: | |* ra_svn : Module for accessing a repository using the svn network protocol. | - with Cyrus SASL authentication | - handles 'svn' scheme |* ra_local : Module for accessing a repository on local disk. | - handles 'file' scheme |* ra_serf : Module for accessing a repository via WebDAV protocol using serf. | - using serf 1.3.8 | - handles 'http' scheme | - handles 'https' scheme> And finally the one after the security upgrade: |svn, version 1.8.10 (r1615264) | compiled Aug 9 2015, 13:48:39 on x86_64-pc-linux-gnu | |Copyright (C) 2014 The Apache Software Foundation. |This software consists of contributions made by many people; |see the NOTICE file for more information. |Subversion is open source software, see http://subversion.apache.org/ | |The following repository access (RA) modules are available: | |* ra_svn : Module for accessing a repository using the svn network protocol. | - with Cyrus SASL authentication | - handles 'svn' scheme |* ra_local : Module for accessing a repository on local disk. | - handles 'file' scheme |* ra_serf : Module for accessing a repository via WebDAV protocol using serf. | - using serf 1.3.8 | - handles 'http' scheme | - handles 'https' scheme Apache access log: |${CLIENT_IP} - - [31/Aug/2015:15:37:41 +0200] "OPTIONS /svn-krb/${REPO} HTTP/1.1" 401 5444 "-" "SVN/1.8.10 (x86_64-pc-linux-gnu) serf/1.3.8" Client output: |svn: E120190: Unable to connect to a repository at URL 'https://${FQDN}/svn-krb/${REPO}' |svn: E120190: Error running context: An error occurred during authentication BTW: With libapache2-mod-auth-gssapi I get the same error message. However, with the older SVN packages, the apache access log looks good (after failed anonymous access it authenticates, successfully), but the clients just outputs nothing and exits zero. The apache error log says "Sessions not available, no cookies!". I have sessions enabled, but maybe I'm missing something. I'm just mentioning this because it might be related to the original problem. Best, Andreas
Bug#797216: libapache2-mod-svn: path based authentication fails with kerberos
Package: libapache2-mod-svn Version: 1.8.10-6+deb8u1 Severity: important Dear Maintainer, after the recent security upgrade, kerberos authentication no longer works with libapache2-mod-auth-kerb (it never worked with libapache2-mod-auth-gssapi). Apache configuration: Location /svn-krb DAV svn SVNParentPath /srv/svn/repos AuthzSVNReposRelativeAccessFile authz AuthName Fnord Login AuthType Kerberos KrbServiceName HTTP/${FQDN}@${REALM} KrbMethodNegotiate on KrbMethodK5Passwd on Krb5Keytab /etc/apache2/krb5.keytab KrbAuthRealms ${REALM} KrbLocalUserMapping on ###Satisfy Any never worked with mod_auth_kerb Require valid-user /Location Output of the svn client: % svn ls https://${FQDN}/svn-krb/${REPO} svn: E175002: Unable to connect to a repository at URL 'https://${FQDN}/svn-krb/${REPO}' svn: E175002: Server sent unexpected return value (401 Unauthorized) in response to OPTIONS request for 'https://${FQDN}/svn-krb/${REPO}' Apache access log (error log is empty): ${CLIENT_IP} - - [28/Aug/2015:16:41:42 +0200] OPTIONS /svn-krb/${REPO} HTTP/1.1 401 5906 - SVN/1.7.19 neon/0.29.6 With the former (working) version, the logs look like the following: Apache access: ${CLIENT_IP} - - [28/Aug/2015:16:30:39 +0200] OPTIONS /svn-krb/${REPO} HTTP/1.1 401 5970 - SVN/1.7.19 neon/0.29.6 ${CLIENT_IP} - ${USER} [28/Aug/2015:16:30:39 +0200] OPTIONS /svn-krb/${REPO} HTTP/1.1 200 2191 - SVN/1.7.19 neon/0.29.6 ${CLIENT_IP} - - [28/Aug/2015:16:30:39 +0200] OPTIONS /svn-krb/${REPO} HTTP/1.1 401 778 - SVN/1.7.19 neon/0.29.6 ${CLIENT_IP} - ${USER} [28/Aug/2015:16:30:39 +0200] OPTIONS /svn-krb/${REPO} HTTP/1.1 200 2127 - SVN/1.7.19 neon/0.29.6 [...] Apache error: [Fri Aug 28 16:30:39.564926 2015] [authz_svn:info] [pid 2400:tid 140422601058048] [client ${CLIENT_IP}:62991] Access granted: '${USER}' OPTIONS ${REPO}:/ [Fri Aug 28 16:30:39.576384 2015] [authz_svn:info] [pid 2400:tid 140422420596480] [client ${CLIENT_IP}:62991] Access granted: '${USER}' OPTIONS ${REPO}:/ [Fri Aug 28 16:30:39.586857 2015] [authz_svn:info] [pid 2400:tid 140422454167296] [client ${CLIENT_IP}:62991] Access granted: '${USER}' PROPFIND ${REPO}:/ [Fri Aug 28 16:30:39.593162 2015] [authz_svn:info] [pid 2400:tid 140422454167296] [client ${CLIENT_IP}:62991] Access granted: '${USER}' GET ${REPO}:/ [Fri Aug 28 16:30:39.599267 2015] [authz_svn:info] [pid 2400:tid 140422454167296] [client ${CLIENT_IP}:62991] Access granted: '${USER}' GET ${REPO}:/ [...] -- System Information: Debian Release: 8.1 APT prefers stable APT policy: (990, 'stable'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libapache2-mod-svn depends on: ii apache2-bin [apache2-api-20120211] 2.4.10-10+deb8u1 ii libc6 2.19-18 ii libsvn1 1.8.10-6+deb8u1 libapache2-mod-svn recommends no packages. Versions of packages libapache2-mod-svn suggests: pn db5.3-util none -- no debconf information
Bug#797216: libapache2-mod-svn: path based authentication fails with kerberos
On Fri, Aug 28, 2015 at 05:48:29PM +0200, Andreas Korsten wrote: after the recent security upgrade, kerberos authentication no longer works with libapache2-mod-auth-kerb (it never worked with libapache2-mod-auth-gssapi). Output of the svn client: % svn ls https://${FQDN}/svn-krb/${REPO} svn: E175002: Unable to connect to a repository at URL 'https://${FQDN}/svn-krb/${REPO}' svn: E175002: Server sent unexpected return value (401 Unauthorized) in response to OPTIONS request for 'https://${FQDN}/svn-krb/${REPO}' Apache access log (error log is empty): ${CLIENT_IP} - - [28/Aug/2015:16:41:42 +0200] OPTIONS /svn-krb/${REPO} HTTP/1.1 401 5906 - SVN/1.7.19 neon/0.29.6 As shown in the working example, an initial 401 is expected. The client should retry with the auth. The question is why that isn't happening. What does “svn --version” show? Would you be able to perform tests on both the upgraded libapache2-mod-svn and the pre-upgrade version? Cheers, -- James GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy james...@debian.org signature.asc Description: Digital signature