[ https://issues.apache.org/jira/browse/COUCHDB-2299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14105373#comment-14105373 ]
Dave Cottlehuber commented on COUCHDB-2299: ------------------------------------------- Note that 1.4+ obviously won't have the actual issue, because they will create PKBDF2-style hashes, but if the [admins] section hasn't changed from a previous install, it will still fail. 1.6.0 is where we broke this. > admin users are unable to login after upgrading to 1.6.0 when older password > hashes are used > -------------------------------------------------------------------------------------------- > > Key: COUCHDB-2299 > URL: https://issues.apache.org/jira/browse/COUCHDB-2299 > Project: CouchDB > Issue Type: Bug > Security Level: public(Regular issues) > Components: Database Core > Affects Versions: 1.6.0 > Reporter: Dave Cottlehuber > Priority: Blocker > Fix For: 1.6.1 > > > # issue > When a couch is upgraded to 1.6.0, and the config files contain an [admins] > section with non-PBKDF2 hashed passwords (old-style < 1.3.1) then couchdb > will not let those admin users login. > # reproduce > - install 1.2.1 through 1.5.1 (tested those + 1.3.1 + 1.6.1-rc.3) > - create a new admin user via futon > - remove old binaries etc `rm -rf bin share lib` > - only dbs and .ini files remain (apart from log uri etc) > - install 1.6.0 (or 1-rc.3 with the fix for the raw/unhashed password fix) > - try to log in using admin via futon > {code} > 2> [debug] [<0.146.0>] 'POST' /_session {1,1} from "94.136.7.161" > Headers: [{'Accept',"application/json"}, > {'Accept-Encoding',"gzip,deflate"}, > {'Accept-Language',"en-US,en;q=0.8,de;q=0.6"}, > {'Connection',"keep-alive"}, > {'Content-Length',"25"}, > {'Content-Type',"application/x-www-form-urlencoded; charset=UTF-8"}, > {'Cookie',"AuthSession="}, > {"Dnt","1"}, > {'Host',"130.211.98.121:5984"}, > {"Origin","http://130.211.98.121:5984"}, > {'Referer',"http://130.211.98.121:5984/_utils/"}, > {'User-Agent',"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2129.0 Safari/537.36"}, > {"X-Requested-With","XMLHttpRequest"}] > [debug] [<0.146.0>] OAuth Params: [] > [debug] [<0.146.0>] Attempt Login: admin > [debug] [<0.117.0>] DDocProc found for DDocKey: {<<"_design/_auth">>, > > <<"2-7837bd4a550c1a65ac96c258e83d8b8c">>} > [debug] [<0.171.0>] OS Process #Port<0.3041> Input :: > ["reset",{"reduce_limit":true,"timeout":5000}] > [debug] [<0.171.0>] OS Process #Port<0.3041> Output :: true > [debug] [<0.171.0>] OS Process #Port<0.3041> Input :: > ["ddoc","_design/_auth", > ["validate_doc_update"], > [{"_id":"", > "password_scheme":"pbkdf2", > "iterations":10,"roles":["_admin"], > "salt":"a755d787383cdc147808a3ce2326479e", > "password_scheme":"simple", > "derived_key":"77bc076166db06fd940540ea7dc9d181e7e44741", > "_revisions":{"start":0,"ids":[]}}, > null, > {"db":"_users","name":null,"roles":["_admin"]},{}]] > [debug] [<0.171.0>] OS Process #Port<0.3041> Output :: {"forbidden":"doc.type > must be user"} > [debug] [<0.146.0>] Minor error in HTTP request: {forbidden, > <<"doc.type must be user">>} > [debug] [<0.146.0>] Stacktrace: [{couch_db,update_doc,4, > [{file,"couch_db.erl"},{line,432}]}, > {couch_httpd_auth, > '-maybe_upgrade_password_hash/3-fun-0-', > 4, > [{file,"couch_httpd_auth.erl"}, > {line,355}]}, > {couch_util,with_db,2, > [{file,"couch_util.erl"},{line,443}]}, > {couch_httpd_auth,handle_session_req,1, > [{file,"couch_httpd_auth.erl"}, > {line,275}]}, > {couch_httpd,handle_request_int,5, > [{file,"couch_httpd.erl"},{line,318}]}, > {mochiweb_http,headers,5, > [{file,"mochiweb_http.erl"},{line,94}]}, > {proc_lib,init_p_do_apply,3, > [{file,"proc_lib.erl"},{line,227}]}] > [info] [<0.146.0>] 94.136.7.161 - - POST /_session 403 > {code} -- This message was sent by Atlassian JIRA (v6.2#6252)