rpcauth should disable RPC "cookie-based" authentication #14779
Comments
|
No, that will cause |
|
Yeah that's definitely something to think about. It's the age-old trade-off between security and convenience. It seems to me that if I'm concerned enough about security to use rpcauth instead of rpcuser+rpcpassword, I won't be happy that my efforts to avoid writing the password to disk in plain text have been nullified by the fact that bitcoind writes the cookie file. For my two cents, the fact that bitcoin-cli won't "just work" if I've specified rpcauth is a feature (the closing of a security gap) not a bug. Perhaps if rpcauth is present, cookie-based auth is off unless rpccookiefile (or a separate dedicated flag) is also present. |
|
@carnesen But security through the auth cookie is equivalent to access to your local filesystem. If an attacker has that, they could also modify the bitcoin.conf file to give themselves access anyway. |
|
You make good points. I'm convinced. Thank you both very much for taking the time to explain. I'll add this information to my description of "cookie-based" auth on https://bitcoin.stackexchange.com/questions/46782/rpc-cookie-authentication . Closing this ... |
Version 0.12 introduced a new authentication scheme for the http RPC interface. The so-called "cookie-based" authentication is meant to be the convenient zero-configuration just-works option. "Cookie-based" authentication is disabled if the user has specified credentials using the (deprecated) rpcuser and rpcpassword config vars. Version 0.12 also introduced a different new way to specify valid credentials, the "rpcauth" configuration variable. Currently specifying rpcauth does NOT disable "cookie-based" auth. For the same reasons that "cookie-based" auth is disabled if the user specifies rpcpassword, specifying rpcauth should also disable "cookie-based" auth.
The text was updated successfully, but these errors were encountered: