[
https://issues.apache.org/jira/browse/COUCHDB-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14184321#comment-14184321
]
ASF GitHub Bot commented on COUCHDB-2362:
-----------------------------------------
Github user wohali commented on a diff in the pull request:
https://github.com/apache/couchdb/pull/269#discussion_r19378084
--- Diff: dev/pbkdf2.py ---
@@ -0,0 +1,130 @@
+# -*- coding: utf-8 -*-
+"""
+ pbkdf2
+ ~~~~~~
+
+ This module implements pbkdf2 for Python. It also has some basic
+ tests that ensure that it works. The implementation is straightforward
+ and uses stdlib only stuff and can be easily be copy/pasted into
+ your favourite application.
+
+ Use this as replacement for bcrypt that does not need a c
implementation
+ of a modified blowfish crypto algo.
+
+ Example usage:
+
+ >>> pbkdf2_hex('what i want to hash', 'the random salt')
+ 'fa7cc8a2b0a932f8e6ea42f9787e9d36e592e0c222ada6a9'
+
+ How to use this:
+
+ 1. Use a constant time string compare function to compare the stored
hash
+ with the one you're generating::
+
+ def safe_str_cmp(a, b):
+ if len(a) != len(b):
+ return False
+ rv = 0
+ for x, y in izip(a, b):
+ rv |= ord(x) ^ ord(y)
+ return rv == 0
+
+ 2. Use `os.urandom` to generate a proper salt of at least 8 byte.
+ Use a unique salt per hashed password.
+
+ 3. Store ``algorithm$salt:costfactor$hash`` in the database so that
+ you can upgrade later easily to a different algorithm if you need
+ one. For instance ``PBKDF2-256$thesalt:10000$deadbeef...``.
+
+
+ :copyright: (c) Copyright 2011 by Armin Ronacher.
+ :license: BSD, see LICENSE for more details.
--- End diff --
Need to import this as LICENSE.pbkdf2.txt or simliar I think.
> Have dev/run put the correct user:password in the [admin] section of all
> three nodes in dev cluster
> ---------------------------------------------------------------------------------------------------
>
> Key: COUCHDB-2362
> URL: https://issues.apache.org/jira/browse/COUCHDB-2362
> Project: CouchDB
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: BigCouch
> Reporter: Javier Candeira
>
> When starting a dev cluster with the --admin option:
> `dev/run -a candeira:candeira`
> the local.ini scripts get rebuilt with an extra [admin] section and the
> plaintext user = password line. This means that couchdb adds the hashed
> password instead of replacing it.
> in addition, the admin party fix only sets the user = password line in one of
> the cluster's nodes, which may create problem.
> The forthcoming patch will initialise all three nodes with the same hashed
> password, as per rnewson:
> 00:27 <+rnewson> so you need to ensure that the admin is the same on all
> nodes after hashing
> 00:28 <+rnewson> otherwise cookies won't work if you hop between nodes
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
