NOCERA, ANDY
2018-04-13 17:55:16 UTC
Summary: SVN E170001: Authentication error with specific user/realm/pw combinations while many other work!
Observations/Workarounds
While there is a work around, by simply changing the password, we have an unusual reoccurring issue with some user/realm/password combinations. It's a problem
setting the same password to many repos.
The issue shows up under both CRAM-MD5 and DIGEST-MD5, but not for the same user/realm/password.
From and SVN perspective:
How do I get svn/svnserve to log the hashed response so I can compare it outside of SASL and MYSQL.
I suspect our method to generate the hashed CRAM-MD5 and DIGEST-MD5 that we store in mysql has a bug, what is a good place to locate source for this program.
Use Case is a simple svn task: $svn list svn://SVN.HOST.DOMAIN:12000
Server Config
svnserver configured via sasl mechanism CRAM-MD5 and/or Digest-MD5 -
Hashed passwd stored in mysqlDB
separate realm for each repo
Assumptions:
Since it works most of the time, configurations are correct.
Issue: Some password combinations return svn: E170001: Authentication error from server: SASL(-13): authentication failure: incorrect digest response
User/process quick check: when we suspect an issue we compare the generated hash with DB stored hash to rule out, process, user and DB issue.
gen_hash - user realm passwd using sasl_passwd binary
query_hash - query user realm from MYSQL DB
inspect HEX gen_hash ~ HEX query_hash
if hash matches, we expect $svn list user passwd svn://SVN.HOST.DOMAIN:12000 to be successful.
Summary Sample tests updating mysqlDB and running svn list using a different password
Works- Capmpwds2018
Works- apmpwds2018
Fails- capmpwds2018
Works- cApmpwds2018
Test SCRIPT
ksh ./add_user.sh:prod m80154 Capmpwds2018 capmbat2 update
The DB agrees with user/pw/realm
DB cmusaslsecretCRAM-MD5 6FE5A5552D2F13F7BDBF6FB2AE9B1A125313C2BA79479D153877B95CFA9DFC29
Commandline CRAM USER:HEX/UN 6FE5A5552D2F13F7BDBF6FB2AE9B1A125313C2BA79479D153877B95CFA9DFC29
Success m80154 - /opt/app/scm/svn/binaries/svn_1.9.7/bin/svn --no-auth-cache --username m80154 --password Capmpwds2018 list svn://SVN.HOST.DOMAIN:12000
$ksh ./add_user.sh:prod m80154 apmpwds2018 capmbat2 update
The DB agrees with user/pw/realm
DB cmusaslsecretCRAM-MD5 6A2912411C7616DECF97A2B7582ADEF4855C3B4E4373046832D242AEC4AC08E2
Commandline CRAM USER:HEX/UN 6A2912411C7616DECF97A2B7582ADEF4855C3B4E4373046832D242AEC4AC08E2
Success m80154 - /opt/app/scm/svn/binaries/svn_1.9.7/bin/svn --no-auth-cache --username m80154 --password apmpwds2018 list svn://SVN.HOST.DOMAIN:12000
ksh ./add_user.sh:prod m80154 capmpwds2018 capmbat2 update
The DB agrees with user/pw/realm
DB cmusaslsecretCRAM-MD5 59B803D644BC84CF91230A8FFEA371A3421AE83003009232483A3FEF5B90BE6A
Commandline CRAM USER:HEX/UN 59B803D644BC84CF91230A8FFEA371A3421AE83003009232483A3FEF5B90BE6A
Failed m80154 /opt/app/scm/svn/binaries/svn_1.9.7/bin/svn --no-auth-cache --username m80154 --password capmpwds2018 list svn://SVN.HOST.DOMAIN:12000
svn: E170013: Unable to connect to a repository at URL 'svn://SVN.HOST.DOMAIN:12000'
svn: E170001: Authentication error from server: SASL(-13): authentication failure: incorrect digest response
$ksh ./add_user.sh:prod m80154 cApmpwds2018 capmbat2 update
The DB agrees with user/pw/realm
DB cmusaslsecretCRAM-MD5 9328603F62A27B23C3A01149D8CA97BB5885F9163C9498918FDD2223439EED26
Commandline CRAM USER:HEX/UN 9328603F62A27B23C3A01149D8CA97BB5885F9163C9498918FDD2223439EED26
Success m80154 - /opt/app/scm/svn/binaries/svn_1.9.7/bin/svn --no-auth-cache --username m80154 --password cApmpwds2018 list svn://SVN.HOST.DOMAIN:12000
-
Observations/Workarounds
While there is a work around, by simply changing the password, we have an unusual reoccurring issue with some user/realm/password combinations. It's a problem
setting the same password to many repos.
The issue shows up under both CRAM-MD5 and DIGEST-MD5, but not for the same user/realm/password.
From and SVN perspective:
How do I get svn/svnserve to log the hashed response so I can compare it outside of SASL and MYSQL.
I suspect our method to generate the hashed CRAM-MD5 and DIGEST-MD5 that we store in mysql has a bug, what is a good place to locate source for this program.
Use Case is a simple svn task: $svn list svn://SVN.HOST.DOMAIN:12000
Server Config
svnserver configured via sasl mechanism CRAM-MD5 and/or Digest-MD5 -
Hashed passwd stored in mysqlDB
separate realm for each repo
Assumptions:
Since it works most of the time, configurations are correct.
Issue: Some password combinations return svn: E170001: Authentication error from server: SASL(-13): authentication failure: incorrect digest response
User/process quick check: when we suspect an issue we compare the generated hash with DB stored hash to rule out, process, user and DB issue.
gen_hash - user realm passwd using sasl_passwd binary
query_hash - query user realm from MYSQL DB
inspect HEX gen_hash ~ HEX query_hash
if hash matches, we expect $svn list user passwd svn://SVN.HOST.DOMAIN:12000 to be successful.
Summary Sample tests updating mysqlDB and running svn list using a different password
Works- Capmpwds2018
Works- apmpwds2018
Fails- capmpwds2018
Works- cApmpwds2018
Test SCRIPT
ksh ./add_user.sh:prod m80154 Capmpwds2018 capmbat2 update
The DB agrees with user/pw/realm
DB cmusaslsecretCRAM-MD5 6FE5A5552D2F13F7BDBF6FB2AE9B1A125313C2BA79479D153877B95CFA9DFC29
Commandline CRAM USER:HEX/UN 6FE5A5552D2F13F7BDBF6FB2AE9B1A125313C2BA79479D153877B95CFA9DFC29
Success m80154 - /opt/app/scm/svn/binaries/svn_1.9.7/bin/svn --no-auth-cache --username m80154 --password Capmpwds2018 list svn://SVN.HOST.DOMAIN:12000
$ksh ./add_user.sh:prod m80154 apmpwds2018 capmbat2 update
The DB agrees with user/pw/realm
DB cmusaslsecretCRAM-MD5 6A2912411C7616DECF97A2B7582ADEF4855C3B4E4373046832D242AEC4AC08E2
Commandline CRAM USER:HEX/UN 6A2912411C7616DECF97A2B7582ADEF4855C3B4E4373046832D242AEC4AC08E2
Success m80154 - /opt/app/scm/svn/binaries/svn_1.9.7/bin/svn --no-auth-cache --username m80154 --password apmpwds2018 list svn://SVN.HOST.DOMAIN:12000
ksh ./add_user.sh:prod m80154 capmpwds2018 capmbat2 update
The DB agrees with user/pw/realm
DB cmusaslsecretCRAM-MD5 59B803D644BC84CF91230A8FFEA371A3421AE83003009232483A3FEF5B90BE6A
Commandline CRAM USER:HEX/UN 59B803D644BC84CF91230A8FFEA371A3421AE83003009232483A3FEF5B90BE6A
Failed m80154 /opt/app/scm/svn/binaries/svn_1.9.7/bin/svn --no-auth-cache --username m80154 --password capmpwds2018 list svn://SVN.HOST.DOMAIN:12000
svn: E170013: Unable to connect to a repository at URL 'svn://SVN.HOST.DOMAIN:12000'
svn: E170001: Authentication error from server: SASL(-13): authentication failure: incorrect digest response
$ksh ./add_user.sh:prod m80154 cApmpwds2018 capmbat2 update
The DB agrees with user/pw/realm
DB cmusaslsecretCRAM-MD5 9328603F62A27B23C3A01149D8CA97BB5885F9163C9498918FDD2223439EED26
Commandline CRAM USER:HEX/UN 9328603F62A27B23C3A01149D8CA97BB5885F9163C9498918FDD2223439EED26
Success m80154 - /opt/app/scm/svn/binaries/svn_1.9.7/bin/svn --no-auth-cache --username m80154 --password cApmpwds2018 list svn://SVN.HOST.DOMAIN:12000
-