Subversion using SSPI module HTTP vs HTTPS

StackOverflow https://stackoverflow.com/questions/4419140

  •  08-10-2019
  •  | 
  •  

Question

I'm upgrading our svn server and want to change to windows authentication instead of htpassword files. I've installed the module and can get it running on HTTP or HTTPS.

Accessing the repos, using TortoiseSVN, I have 2 scenarios:

  1. Accessing when SSPI + HTTPS is setup. Login is automatically and works like a charm :)

  2. Accessing when SSPI + HTTP is setup. Login requires me to enter my domain username and password in TortoiseSVN, which is ok, as I can ask TortoiseSVN to remember my credentials.

My questions is:

If I use SSPI + HTTP instead of SSPI + HTTPS are my password and username then encrypted?

The reason I'm asking is that we're on a LAN and will never be able to access from the outside and SSL is kindda overkill as it makes everything rather slow :S. So I would prefer to use HTTP + SSPI.

I searched for my password on the network using WireShark and had no luck, which would mean that the credentials are indeed encrypted :). Could only find a line which I suspect is my user+pass that looked something like this: Authorization: Basic Yh2_3 m%erTo_d4fre

If anyone can clearify this for me or better yet link me to a location which states that passwords ARE encrypted when using SSPI + HTTP, I would be most gratefull :).

Kind regards Garrett

**********************EDIT**********************

It seems i've misunderstod something very important. Please verify wether i'm right :):

Accessing svn when SSPI+HTTP is enabled, it actually means that SSPI is disabled and that i'm using Basic Auth when accessing, as SSPI requires SSL. Which means that my username and password only have the mild Basic Auth encryption, nothing like SSL encryption.

The only place where the SSPI module enters the picture is that it receives the username+pass from Basic Auth and then it uses those to verify the user against the domain (in a secure manner of course ???).

This is what I could deduct when reading the documentation once again. Can anyone verify if I have gotten this right?

Kind regards

Garrett

Was it helpful?

Solution

UPDATE: The behavior changed in Subversion 1.8.0: now Subversion client automatically authenticate using SPNEGO/NTLM protocol if server supports it. I.e. default value for http-auth-types configuration option is negotiate;ntlm;basic

By default Subversion network library uses Negotiate/NTLM only for HTTPS connections.

Quoting VisualSVN Server KB article, which applicable for any Subversion client/server: http://www.visualsvn.com/support/topic/00040/

To protect from eavesdroppers and man-in-the-middle attacks it's not recommended to use NTLM/Negotiate authentication over the unsecure HTTP protocol. That's why this option is disabled by default.

But if you are forced to use the HTTP protocol, you can manually reconfigure Subversion clients. NTLM/Negotiate authentication over the HTTP protocol can be enabled using the http-auth-types Subversion configuration option. The default value for this option is "http-auth-types = basic". In order to allow NTLM/Negotiate authentication you should change this value to "http-auth-types = basic;negotiate".

The article also has step-by-step instructions how to change Subversion configuration.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top