rpcauth should disable RPC "cookie-based" authentication #14779

issue carnesen opened this issue on November 22, 2018
  1. carnesen commented at 2:17 AM on November 22, 2018: contributor

    Version 0.12 introduced a new authentication scheme for the http RPC interface. The so-called "cookie-based" authentication is meant to be the convenient zero-configuration just-works option. "Cookie-based" authentication is disabled if the user has specified credentials using the (deprecated) rpcuser and rpcpassword config vars. Version 0.12 also introduced a different new way to specify valid credentials, the "rpcauth" configuration variable. Currently specifying rpcauth does NOT disable "cookie-based" auth. For the same reasons that "cookie-based" auth is disabled if the user specifies rpcpassword, specifying rpcauth should also disable "cookie-based" auth.

  2. fanquake added the label RPC/REST/ZMQ on Nov 22, 2018
  3. achow101 commented at 2:38 AM on November 22, 2018: member

    No, that will cause bitcoin-cli to no longer work. rpcauth has the password salted and hashed. This means it is not in plaintext in the bitcoin.conf file like it was for rpcuser and rpcpassword. There is no way for bitcoin-cli to know what the password is when rpcauth is used, so cookie authentication is needed in order for bitcoin-cli to be able to get a password that works.

  4. carnesen commented at 3:14 AM on November 22, 2018: contributor

    Yeah that's definitely something to think about. It's the age-old trade-off between security and convenience. It seems to me that if I'm concerned enough about security to use rpcauth instead of rpcuser+rpcpassword, I won't be happy that my efforts to avoid writing the password to disk in plain text have been nullified by the fact that bitcoind writes the cookie file. For my two cents, the fact that bitcoin-cli won't "just work" if I've specified rpcauth is a feature (the closing of a security gap) not a bug. Perhaps if rpcauth is present, cookie-based auth is off unless rpccookiefile (or a separate dedicated flag) is also present.

  5. sipa commented at 4:05 AM on November 22, 2018: member

    @carnesen But security through the auth cookie is equivalent to access to your local filesystem. If an attacker has that, they could also modify the bitcoin.conf file to give themselves access anyway.

  6. carnesen commented at 5:13 AM on November 22, 2018: contributor

    You make good points. I'm convinced. Thank you both very much for taking the time to explain. I'll add this information to my description of "cookie-based" auth on https://bitcoin.stackexchange.com/questions/46782/rpc-cookie-authentication . Closing this ...

  7. carnesen closed this on Nov 22, 2018
  8. DrahtBot locked this on Sep 8, 2021
Contributors
carnesenachow101sipa
Labels
RPC/REST/ZMQ
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-13 15:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me