couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Javier Candeira (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (COUCHDB-2367) Eliminate plaintext passwords altogether
Date Mon, 17 Nov 2014 21:49:33 GMT

    [ https://issues.apache.org/jira/browse/COUCHDB-2367?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14215243#comment-14215243
] 

Javier Candeira commented on COUCHDB-2367:
------------------------------------------

Status report: 

I have this patch working; in fact I've had it for weeks now. I haven't submitted a pull request
because I was waiting for https://issues.apache.org/jira/browse/COUCHDB-2362 to drop into
master, and currently I'm trying to find a moment to finish two more things:
- tests
- the couchpasswd utility to edit hashed passwords into the config files, both interactively
and in scripts/batches.

> Eliminate plaintext passwords altogether
> ----------------------------------------
>
>                 Key: COUCHDB-2367
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-2367
>             Project: CouchDB
>          Issue Type: Improvement
>      Security Level: public(Regular issues) 
>          Components: Database Core
>            Reporter: Javier Candeira
>            Assignee: Javier Candeira
>
> In discussion about https://issues.apache.org/jira/browse/COUCHDB-2364, rnewson and candeira
agreed on:
> <+rnewson> Maybe spent a little more time on the idea that we remove support for
plaintext passwords entirely?
> <+rnewson> I dislike the hash-on-startup thing.
> <+rnewson> we could insist that you set up admins via PUT _config
> <+rnewson> and remove the hash_unhashed_admins function, and also ignore non-hashed
lines in config
> <+rnewson> couchdb 2.0 could simply require the hashed version from the start (and
we'd supply a hashing tool akin to htpasswd in httpd), or 
> < kandinski> what about PUT _config, it would still exist?
> <+rnewson> absolutely, yes.
> <+rnewson> the PUT _config can take plaintext passwords (and there's a ?raw=true
iirc to inhibit hashing) since that invokes code *before* we update the file, so the file
never contains plaintext
> <+rnewson> basically, the goal is to change couchdb so that password hashing is
done before writing the file, in all cases. if you *don't* put a hashed value into [admins],
the line is simply ignored.
> <+rnewson> and that's how we fix the hole.
> <+rnewson> [admins]
> <+rnewson> foo = bar
> <+rnewson> is a couchdb with no admins



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message