RPC: Added additional config option for multiple RPC users. #7044
Conversation
|
Please explain how your vision accounts for multi-wallet use. It seems desirable to have different users access different wallets (or perhaps even limited to specific accounts within a wallet), but your plan above does not seem to account for that possibility. |
|
@luke-jr That seems orthogonal to me. Presumably if we eventually wanted to layer access controls on top of this in the future (though we've shed away from that in the past), this appears completely compatible with doing so... but this is useful without that, just from an credential management perspective. |
src/httprpc.cpp
Outdated
There was a problem hiding this comment.
I think we really want to avoid adding OpenSSL dependencies. But it shouldn't be hard to add PBKDF2 (we already have a builtin HMAC-SHA256 implementation).
There was a problem hiding this comment.
We're in that boat for the wallet encryption already.
There was a problem hiding this comment.
This affects also --disable-wallet compilation (httprpc.cpp). Agree with @sipa. There is no reason to use openssl lump for that.
|
edit2: See after @gmaxwell's answer |
|
@dcousens: that could be said of any functionality; thats really no excuse for having an auth setup which will be an immediate failure in any security audit. (And for context, I asked instagibbs to work on something like this after hearing from multiple parties that they switched from bitcoin core to an API provider for a list of reasons that included this; I'd like to get all of these reasons fixed.) I don't see why you see this as increasing the complexity of RPC: it changes credential storage, not the RPC-- other than timing it's presence is externally indistinguishable. I think we should phase out the old method of configuration and support only this and cookie auth; but thats incompatible so it should probably be phased in across multiple versions. |
|
To clarify, the above was a weak NACK; and I may have jumped the gun on complexity, as after a code review, only ~20-30 lines was added code, the rest is tests. If the alternative configuration method is [eventually] removed, then I see no issue with this and its an easy feature win for those who need it. Concept ACK, utACK 👍 |
|
Concept ACK. Nice work! Thanks for directly include a RPC test. |
|
@paveljanik @jonasschnelli If we ever get around to deprecating the original rpc credential method I think that'd be a good time to move it. |
|
Is the salting and hashing really worth it? An admin could easily listen on the wire for the pre-stretched password. I feel like this is a false sense of security for what is meant to be a local ( The authentication itself is just basic HTTP authentication AFAIK. This is no better than just a single token. Clearer intent and security implications IMHO. |
|
@dcousens salting and hashing protects the passwords in the case of an adversary getting a hold of the password file and forging irreversible requests immediately, but not an catching it across the wire, no. I still see value in that, especially for basic audit purposes. |
I'd be willing to bet that the attacker will likely already be able to do this, be it through watching the wire or simply adding the auth settings to the If that sole property is desirable, then sure, add it. But it isn't reflective of the existing security model.
|
|
@dcousens: consider, a couple weeks ago I learned sipa's rpcpassword while he was showing me something in his bitcoin.conf on his screen. Hashed passwords were the norm for system authentication decades before encrypted transports. :) |
|
Concept ACK |
contrib/rpcuser/rpcuser.py
Outdated
There was a problem hiding this comment.
nit: If this script is supposed to be used by end users, it should be in share/ (I think) and be installed with make install. Contrib is usually for obscure things only useful for developers.
There was a problem hiding this comment.
And mention in the readme how this should be called. E.g. ./rpcuser testUserName.
There was a problem hiding this comment.
I don't see any related scripts in 'share' nor a readme in the folder.
|
Axed the key stretching done as per discussion in bitcoin-core-dev IRC, removed openssl dependency. Updated description. |
|
Moved the python script to share directory. |
|
Concept ACK |
|
utACK |
|
Concept ACK +1 , finally !!!! |
|
@instagibbs mind squashing some of this to get the EVP stuff out of the history? |
|
squashed |
|
Hm. Python3 dep on the gen util. How hard would that be to avoid? |
|
New command-line or config-file options should be documented in the --help output (see init.cpp). How does this interact with the automatic random cookie authentication in InitRPCAuthentication? I'd expect if I use -rpcauth that would be the only authentication method available... And are changes to bitcoin-cli needed to add this new functionality? In general, it makes me nervous to have two very different ways of accomplishing the same thing (-rpcauth and -rcpuser/-rpcpassword). Deprecating -rpcuser/-rpcpassword and moving to -rpcauth would be better, but even if deprecation doesn't happen in-memory conversion of any existing -rcpuser/-rpcpassword to the new scheme as one of the first things done at startup in any code that deals with those options should be less bug-prone. |
|
@gmaxwell I've added a few more lines to make it work for either. @gavinandresen To the connecting bitcoin-cli, the interface is just the same. That was intentional. And I'm in agreement about (eventual?) deprecation. It'd be quite easy to do after this. I'll add some documentation to init.cpp, sure. |
|
At least I was thinking that rpcuser/rpcpassword should be deprecated, but wasn't expecting that to happen right this instant. For cookie auth, it can be useful to have both-- the reason is that cookie auth can be used seamlessly by local applications. But the correct way to achieve that is probably a soft opt disable for cookie auth triggered by having static authentication; I guess. |
|
@instagibbs Mind to add the missing "-rpcauth" help message in init.cpp? |
|
@MarcoFalke done |
|
@gavinandresen gave it some more thought, and I think it's most straight forward to throw a warning for now, then completely replace as a next step. By the time I get some intermediate step to work, it's just easier to replace everything in my opinion. Would that be acceptable? |
|
@dcousens: added a warning. Is this along the lines of what you were thinking? |
src/init.cpp
Outdated
There was a problem hiding this comment.
Add 'This option can be specified multiple times.' for clarity?
|
utACK with one nit in the help text (see above.) |
src/httprpc.cpp
Outdated
There was a problem hiding this comment.
What happens when a client sends an authentication string that does not contain a ':'? My guess is that find returns npos == -1, which means that both strPass and strUser will be equal to strUserPass in that case. It looks harmless, but certainly unintuitive and perhaps not well-defined?
|
Seems like all mentioned issues are now fixed. I'd love to see this get merged before the 0.12 freeze. |
|
@instagibbs warning LGTM 👍 |
|
re-ACK |
|
Tested ACK |
|
ACK |
d52fbf0 Added additional config option for multiple RPC users. (Gregory Sanders)
Misc upstream PRs Cherry-picked from the following upstream PRs: - bitcoin/bitcoin#6077 - Second commit only (first was already applied to 0.11.X and then reverted) - bitcoin/bitcoin#6284 - bitcoin/bitcoin#6489 - bitcoin/bitcoin#6462 - bitcoin/bitcoin#6647 - bitcoin/bitcoin#6235 - bitcoin/bitcoin#6905 - bitcoin/bitcoin#6780 - Excluding second commit (QT) and third commit (requires bitcoin/bitcoin#6993) - bitcoin/bitcoin#6961 - Excluding QT parts, and a small `src/policy/policy.cpp` change which depends on a bunch of other PRs, which we'll have to remember to come back to. - bitcoin/bitcoin#7044 - bitcoin/bitcoin#8856 - bitcoin/bitcoin#9002 Part of #2074 and #2132.
Misc upstream PRs Cherry-picked from the following upstream PRs: - bitcoin/bitcoin#6077 - Second commit only (first was already applied to 0.11.X and then reverted) - bitcoin/bitcoin#6284 - bitcoin/bitcoin#6489 - bitcoin/bitcoin#6235 - bitcoin/bitcoin#6905 - bitcoin/bitcoin#6780 - Excluding second commit (QT) and third commit (requires bitcoin/bitcoin#6993) - bitcoin/bitcoin#6961 - Excluding QT parts, and a small `src/policy/policy.cpp` change which depends on a bunch of other PRs, which we'll have to remember to come back to. - bitcoin/bitcoin#7044 - bitcoin/bitcoin#8856 - bitcoin/bitcoin#9002 Part of #2074 and #2132.
13 participants
This pull adds an additional config option, "rpcauth" to allow multiple different users to use different credentials for login.
Motivation:
In business settings there are often multiple users accessing a particular core instance, using wallet functionality. Instead of all users sharing the same login name and password, it is desired to have each user generate their own secret password, and have a hashed and salted version added to bitcoin.conf by the admin. Currently there is only one name and password, and it is stored in plaintext. This pull attempts to do just this and will be followed by an additional audit logging pull to enable admins to assign blame to spends and other irreversible actions.
The config option comes in the format:
Where:
A "canonical" password generating python script has been supplied in share/rpcuser. From the client-side, one connects using the standard -rpcuser/-rpcpassword options.