couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Noah Slater <nsla...@apache.org>
Subject Re: new CouchDB feature: Admin accounts
Date Wed, 22 Oct 2008 20:05:54 GMT
Damien,

Fantastic stuff, this is a great feature!

On Wed, Oct 22, 2008 at 01:13:22PM -0400, Damien Katz wrote:
> The admin checking uses HTTP basic authentication, we'll need to
> eventually support SSL to make this secure or support a more secure
> authentication standard.

I presume that for now, SSL can be added with a reverse proxy.

> When CouchDB starts it will find these new passwords and then hash them:
>
> [admins]
> admin = -hashed-d6bdc9039b19e41051eb1b94ea8ef905b1a11e2e
> ,b53ce4e92ad24ad8fc14feadb58d8b60
> damien katz = -hashed
> -2f3e9eea97e44b2bb09b56d3b1d66a41f0a74be2,6c37137b479369759e8dc591573b0599
>
> /end
>
> The hashed password line consists first of "-hashed-" then 2 hexadecimal
> encoded numbers separated by a comma, the 160 bit sha hashed password +
> salt 160 bit sha hash, and then the 128 bit salt (a UUID):
>
>   user name = -hashed-%160bit hashed value%,%128 bit salt%
>
> So the only restrictions on passwords is they shouldn't start with "-
> hashed-" and can't contain newlines.

I don't like the idea of keeping passwords in the configuration file like this.

 * Having CouchDB update the configuration file feels like "magic" to me.

 * The hashed values seem a little long, and hard to manage.

 * Restricting the content of the passwords (to avoid problems detecting new
   passwords) seems a little troublesome. How would it be enforced?

 * Keeping passwords and sundry configuration together seems troublesome.

Instead, could I suggest that we follow Apache httpd and use a digest file?

Apache ships with a utility called "htdigest" that should be no problem to ship
or find on the system, depending on setup. Here is an example of its use:

  nslater@bytesexual: ~ $ htdigest -c auth all nslater
  Adding password for nslater in realm all.
  New password:
  Re-type new password:
  nslater@bytesexual: ~ $ cat auth
  nslater:all:49e0297565847b5e586a3342657eb99a

CouchDB could check for this file on startup in its configuration directory.

As a system administrator I could then change the ownership or permissions of
the password file so that only the `couchdb` user could read it, but open up the
general configuration file for anyone in the `admin` group, for example.

It's important to remember that even hashes can be "reverse engineered" with
rainbow tables to retrieve the original passwords, which is a security concern
if the hashes are kept in a place readable by more users than is necessary.

Thanks,

-- 
Noah Slater, http://bytesexual.org/nslater

Mime
View raw message