incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jens Alfke <j...@couchbase.com>
Subject Conflicting password-storage info on the wiki
Date Thu, 10 Nov 2011 22:00:03 GMT
According to the wiki[1], the documents in the _users database store hashed passwords in “password_sha”
and “salt” attributes. But when I look at my actual running server, _users documents don’t
have those fields in them, just “name”, “type” and “roles”. Instead, the hashed
password seems to live in an [admin] section of the local .ini file, as referred to elsewhere
in the wiki[2].

I’m assuming the “Security Features Overview” page [1] is out of date, and the hashed
passwords were moved out of the database to make them safer from attack?

If so, what’s the best procedure for adding user accounts programmatically? Post to _config
first to set up the password, then add the user document to _users?

—Jens

[1] http://wiki.apache.org/couchdb/Security_Features_Overview#Authentication_database
[2] http://wiki.apache.org/couchdb/Setting_up_an_Admin_account
Mime
View raw message