[
https://issues.apache.org/jira/browse/COUCHDB-2367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Javier Candeira updated COUCHDB-2367:
-------------------------------------
Description:
In discussion about https://issues.apache.org/jira/browse/COUCHDB-2364, rnewson
and candeira agreed on:
<+rnewson> Maybe spent a little more time on the idea that we remove support
for plaintext passwords entirely?
<+rnewson> I dislike the hash-on-startup thing.
<+rnewson> we could insist that you set up admins via PUT _config
<+rnewson> and remove the hash_unhashed_admins function, and also ignore
non-hashed lines in config
<+rnewson> couchdb 2.0 could simply require the hashed version from the start
(and we'd supply a hashing tool akin to htpasswd in httpd), or
< kandinski> what about PUT _config, it would still exist?
<+rnewson> absolutely, yes.
<+rnewson> the PUT _config can take plaintext passwords (and there's a
?raw=true iirc to inhibit hashing) since that invokes code *before* we update
the file, so the file never contains plaintext
<+rnewson> basically, the goal is to change couchdb so that password hashing is
done before writing the file, in all cases. if you *don't* put a hashed value
into [admins], the line is simply ignored.
<+rnewson> and that's how we fix the hole.
<+rnewson> [admins]
<+rnewson> foo = bar
<+rnewson> is a couchdb with no admins
was:
In discussion about https://issues.apache.org/jira/browse/COUCHDB-2364, rnewson
and candeira agreed on:
<+rnewson> Maybe spent a little more time on the idea that we remove support
for plaintext passwords entirely?
<+rnewson> I dislike the hash-on-startup thing.
<+rnewson> we could insist that you set up admins via PUT _config
<+rnewson> and remove the hash_unhashed_admins function, and also ignore
non-hashed lines in config
<+rnewson> couchdb 2.0 could simply require the hashed version from the start
(and we'd supply a hashing tool akin to htpasswd in httpd), or
< kandinski> what about PUT _config, it would still exist?
<+rnewson> absolutely, yes.
> Eliminate plaintext passwords altogether
> ----------------------------------------
>
> Key: COUCHDB-2367
> URL: https://issues.apache.org/jira/browse/COUCHDB-2367
> Project: CouchDB
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: Database Core
> Reporter: Javier Candeira
> Assignee: Javier Candeira
>
> In discussion about https://issues.apache.org/jira/browse/COUCHDB-2364,
> rnewson and candeira agreed on:
> <+rnewson> Maybe spent a little more time on the idea that we remove support
> for plaintext passwords entirely?
> <+rnewson> I dislike the hash-on-startup thing.
> <+rnewson> we could insist that you set up admins via PUT _config
> <+rnewson> and remove the hash_unhashed_admins function, and also ignore
> non-hashed lines in config
> <+rnewson> couchdb 2.0 could simply require the hashed version from the start
> (and we'd supply a hashing tool akin to htpasswd in httpd), or
> < kandinski> what about PUT _config, it would still exist?
> <+rnewson> absolutely, yes.
> <+rnewson> the PUT _config can take plaintext passwords (and there's a
> ?raw=true iirc to inhibit hashing) since that invokes code *before* we update
> the file, so the file never contains plaintext
> <+rnewson> basically, the goal is to change couchdb so that password hashing
> is done before writing the file, in all cases. if you *don't* put a hashed
> value into [admins], the line is simply ignored.
> <+rnewson> and that's how we fix the hole.
> <+rnewson> [admins]
> <+rnewson> foo = bar
> <+rnewson> is a couchdb with no admins
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
