On Nov 10, 2011, at 5:00 PM, Jens Alfke wrote: > According to the wiki[1], the documents in the _users database store hashed > passwords in “password_sha” and “salt” attributes. But when I look at my > actual running server, _users documents don’t have those fields in them, just > “name”, “type” and “roles”. Instead, the hashed password seems to live in an > [admin] section of the local .ini file, as referred to elsewhere in the > wiki[2]. > > I’m assuming the “Security Features Overview” page [1] is out of date, and > the hashed passwords were moved out of the database to make them safer from > attack?
Heh. No, they're still stored out in the open for anyone to see. Only the server admin passwords are stored in the .ini file. Did you try creating a normal user? As far as I know that documentation is still accurate. Adam > If so, what’s the best procedure for adding user accounts programmatically? > Post to _config first to set up the password, then add the user document to > _users? > > —Jens > > [1] > http://wiki.apache.org/couchdb/Security_Features_Overview#Authentication_database > [2] http://wiki.apache.org/couchdb/Setting_up_an_Admin_account
