Return-Path: X-Original-To: apmail-couchdb-dev-archive@www.apache.org Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 8FBB981A7 for ; Tue, 16 Aug 2011 22:14:45 +0000 (UTC) Received: (qmail 84049 invoked by uid 500); 16 Aug 2011 22:14:45 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 84004 invoked by uid 500); 16 Aug 2011 22:14:44 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 83996 invoked by uid 99); 16 Aug 2011 22:14:44 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 16 Aug 2011 22:14:44 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of terryzsmith@gmail.com designates 209.85.216.52 as permitted sender) Received: from [209.85.216.52] (HELO mail-qw0-f52.google.com) (209.85.216.52) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 16 Aug 2011 22:14:37 +0000 Received: by qwb8 with SMTP id 8so417458qwb.11 for ; Tue, 16 Aug 2011 15:14:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=iUqJn5SyBadUVn3bWeruqdFbJgMdsQWqIvdxqOyUiRE=; b=rmk1V3Zd6GI9F6YOmIgnBqAyzcuRq+wzexM/LzgCW0JMH8ZAlxRP1p8oRTujpC0CPc tV2VW4S6XXD69ufihX/Ffy0pMtbnMgBGtQRld78A00o5uYX8yXd4DypQmwCBHYT/HTqp XMzQElH39SFq+fCEKwGlw1Rm4plEt+2XWk0ZQ= MIME-Version: 1.0 Received: by 10.52.26.230 with SMTP id o6mr216541vdg.430.1313532856761; Tue, 16 Aug 2011 15:14:16 -0700 (PDT) Received: by 10.52.158.37 with HTTP; Tue, 16 Aug 2011 15:14:16 -0700 (PDT) In-Reply-To: References: <775360A4-E5B2-464C-AC78-3AF44B7B2F64@apache.org> <3E9869BA-22E7-4645-9FE8-4CE0F31A5C57@apache.org> <591473D8-47C4-486E-84F0-D837D577D0C3@apache.org> <915624D6-228D-48D9-81A0-956FA2B37361@apache.org> <89C1BF6C-93EA-45E8-AE66-6B8067A1B6F2@apache.org> <64A8B61A-E27D-4AD4-9D1A-81E64B6C4F2B@apache.org> <3D5914FE-27E9-4EED-9FAF-CB122AC2E248@apache.org> Date: Tue, 16 Aug 2011 18:14:16 -0400 Message-ID: Subject: Re: Configuration Load Order From: Terry Smith To: dev@couchdb.apache.org Content-Type: multipart/alternative; boundary=20cf3079bdd253fc0904aaa6b309 --20cf3079bdd253fc0904aaa6b309 Content-Type: text/plain; charset=ISO-8859-1 On the subject of a tool to write passwords to CouchDB ini file... A while back I discovered an inconsistency with respect to the password salt deserialization. If password securing is still a salted hash when this tool is made you'll need to take what I found into account because I've done this. Here's what I found. A password's salt is defined as "(128 bit UUID generated by the crypto lib)" from here http://mail-archives.apache.org/mod_mbox/incubator-couchdb-dev/200810.mbox/%3cFEC771A6-9020-4C30-99A2-C4591B3066E1@apache.org%3e. The salt starts out that way but then it is converted to a string representation of the bytes via couch_util:to_hex(). When the hash of the password + salt is taken the bytes for the character codes of the string version of the 128 bit UUID are used as the salt. I'll use a 3 byte salt for an example. The bytes are 16#3f 16#db 16#ef to_hex() returns "3fdbef" list_to_binary() then converts the string into <<"3fdbef"">>... this is the list of character codes for each character in the string. The bytes are 16#33, 16#66, 16#64, 16#62, 16#65, 16#66. This is the actual salt. I discovered this because I am setting up an admin's name, hash and salt in CouchDB's local.ini with an external program (because of my organization's security requirements), but authentication in CouchDB failed with a different hash result. I did not convert my 16 byte salt to a string and then use those bytes (character codes) for the salt. Once I did authentication in CouchDB succeeded. --Terry On Tue, Aug 16, 2011 at 2:33 PM, Jan Lehnardt wrote: > > On Aug 16, 2011, at 8:31 PM, Noah Slater wrote: > > > > > On 16 Aug 2011, at 10:33, Benoit Chesneau wrote: > > > >> Imo we shouldn't at all provide plaintext passwords. Maybe a safer > >> option would be to let the admin create the first one via http or put > >> the hash in the a password.ini file manually. If we are enough kind we > >> could also provide a couchctl script allowing user management, config > >> changes ... ? > > > > This sounds like a decent proposal. Much like you have to use htpasswd to > generate passwords for Apache httpd, we could bundle a script that lets you > generate passwords for the CouchDB ini files, and then forbid the use of > plaintext. This solves both the technical problem (I think?) and helps us > re-enforce better security practices across the board. > > Agreed. > > Cheers > Jan > -- > > --20cf3079bdd253fc0904aaa6b309--