incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Kocoloski <kocol...@apache.org>
Subject Re: Conflicting password-storage info on the wiki
Date Thu, 10 Nov 2011 22:02:51 GMT
On Nov 10, 2011, at 5:00 PM, Jens Alfke wrote:

> According to the wiki[1], the documents in the _users database store hashed passwords
in “password_sha” and “salt” attributes. But when I look at my actual running server,
_users documents don’t have those fields in them, just “name”, “type” and “roles”.
Instead, the hashed password seems to live in an [admin] section of the local .ini file, as
referred to elsewhere in the wiki[2].
> 
> I’m assuming the “Security Features Overview” page [1] is out of date, and the
hashed passwords were moved out of the database to make them safer from attack?

Heh.  No, they're still stored out in the open for anyone to see.  Only the server admin passwords
are stored in the .ini file.  Did you try creating a normal user?  As far as I know that documentation
is still accurate.

Adam

> If so, what’s the best procedure for adding user accounts programmatically? Post to
_config first to set up the password, then add the user document to _users?
> 
> —Jens
> 
> [1] http://wiki.apache.org/couchdb/Security_Features_Overview#Authentication_database
> [2] http://wiki.apache.org/couchdb/Setting_up_an_Admin_account


Mime
View raw message