Securing Svnserve with SASL

What is SASL?

The Cyrus Simple Authentication and Security Layer is open source software written by Carnegie Mellon University. It adds generic authentication and encryption capabilities to any network protocol, and as of Subversion 1.5 and later, both the svnserve server and TortoiseSVN client know how to make use of this library.

For a more complete discussion of the options available, you should look at the Subversion book in the section Using svnserve with SASL. If you are just looking for a simple way to set up secure authentication and encryption on a Windows server, so that your repository can be accessed safely over the big bad Internet, read on.

SASL Authentication

To activate specific SASL mechanisms on the server, you'll need to do three things. First, create a [sasl] section in your repository's svnserve.conf file, with this key-value pair:

use-sasl = true

Second, create a file called svn.conf in a convenient location - typically in the directory where subversion is installed.

Thirdly, create two new registry entries to tell SASL where to find things. Create a registry key named

[HKEY_LOCAL_MACHINE\SOFTWARE\Carnegie Mellon\Project Cyrus\SASL Library]

and place two new string values inside it: SearchPath set to the directory path containing the sasl*.dll plug-ins (normally in the Subversion install directory), and ConfFile set to the directory containing the svn.conf file. If you used the CollabNet installer, these registry keys will already have been created for you.

Edit the svn.conf file to contain the following:

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: DIGEST-MD5
sasldb_path: C:\TortoiseSVN\sasldb

The last line shows the location of the authentication database, which is a file called sasldb. This could go anywhere, but a convenient choice is the repository parent path. Make sure that the svnserve service has read access to this file.

If svnserve was already running, you will need to restart it to ensure it reads the updated configuration.

Now that everything is set up, all you need to do is create some users and passwords. To do this you need the saslpasswd2 program. If you used the CollabNet installer, that program will be in the install directory. Use a command something like this:

saslpasswd2 -c -f C:\TortoiseSVN\sasldb -u realm username

The -f switch gives the database location, realm must be the same as the value you defined in your repository's svnserve.conf file, and username is exactly what you expect it to be. Note that the realm is not allowed to contain space characters.

You can list the usernames stored in the database using the sasldblistusers2 program.

SASL Encryption

To enable or disable different levels of encryption, you can set two values in your repository's svnserve.conf file:

[sasl]
use-sasl = true
min-encryption = 128
max-encryption = 256

The min-encryption and max-encryption variables control the level of encryption demanded by the server. To disable encryption completely, set both values to 0. To enable simple checksumming of data (i.e., prevent tampering and guarantee data integrity without encryption), set both values to 1. If you wish to allow (but not require) encryption, set the minimum value to 0, and the maximum value to some bit-length. To require encryption unconditionally, set both values to numbers greater than 1. In our previous example, we require clients to do at least 128-bit encryption, but no more than 256-bit encryption.