lachesis
|
|
July 22, 2010, 01:27:46 AM |
|
Excellent Gavin. We should start a list of proposed config file options in this thread.
I, for one, suggest a noirc (off by default) option and a minimizetotray option, both of which would do the same thing as the command-line switches by the same name. That'll stop the hackery of launching my Bitcoin with -minimizetotray each time. Also, maybe -server and -daemon should get similar options?
|
|
|
|
Gavin Andresen
Legendary
Offline
Activity: 1652
Merit: 2301
Chief Scientist
|
|
July 22, 2010, 01:51:40 AM |
|
I've implemented it so that all the command-line options can also be specified in the bitcoin.conf file.
Options given on the command line override options in the conf file. But I need to do more testing, especially with the "multiargs" options like "addnode".
|
How often do you get the chance to work on a potentially world-changing project?
|
|
|
satoshi (OP)
Founder
Sr. Member
Offline
Activity: 364
Merit: 7193
|
|
July 22, 2010, 02:34:23 AM |
|
TODO: dialog box or debug.log warning if no rpc.user/rpc.password is set, explaining how to set.
In many of the contexts of this RPC stuff, you can print to the console with fprintf(stdout, like this: #if defined(__WXMSW__) && wxUSE_GUI MyMessageBox("Warning: rpc password is blank, use -rpcpw=<password>\n", "Bitcoin", wxOK | wxICON_EXCLAMATION); #else fprintf(stdout, "Warning: rpc password is blank, use -rpcpw=<password>\n"); #endif
|
|
|
|
Gavin Andresen
Legendary
Offline
Activity: 1652
Merit: 2301
Chief Scientist
|
|
July 23, 2010, 03:11:45 PM |
|
I've updated the RPC wiki page for how the password stuff will work in Bitcoin 0.3.3. One nice side effect: you can prepare for the changes now; create a bitcoin.conf file with a username and password and modify your JSON-RPC code to do the HTTP Basic Authentication thing. Old code will just ignore the .conf file and the Authorization: HTTP header. Question for everybody: should I add a section to the wiki page describing, in detail, how to do HTTP Basic authentication? PHP and Python make is really easy-- just use the http://user:pass@host:port/ URL syntax. I don't want to just duplicate the HTTP Basic authentication Wikipedia page.
|
How often do you get the chance to work on a potentially world-changing project?
|
|
|
satoshi (OP)
Founder
Sr. Member
Offline
Activity: 364
Merit: 7193
|
|
July 23, 2010, 05:07:40 PM |
|
Question for everybody: should I add a section to the wiki page describing, in detail, how to do HTTP Basic authentication? PHP and Python make is really easy-- just use the http://user:pass@host:port/ URL syntax. Yes, I think that would be really good so each dev doesn't have to figure it out themselves. We need a simple example for each of Python, PHP and Java importing the json-rpc library and using it to do a getinfo or something, including doing the http authentication part.
|
|
|
|
satoshi (OP)
Founder
Sr. Member
Offline
Activity: 364
Merit: 7193
|
|
July 23, 2010, 05:14:31 PM |
|
|
|
|
|
Gavin Andresen
Legendary
Offline
Activity: 1652
Merit: 2301
Chief Scientist
|
|
July 23, 2010, 05:56:33 PM |
|
Yes, I think that would be really good so each dev doesn't have to figure it out themselves. We need a simple example for each of Python, PHP and Java importing the json-rpc library and using it to do a getinfo or something, including doing the http authentication part.
OK, I did Python and PHP, and I added what I know about Java. Can somebody who has used Java JSON-RPC update the wiki page with a working example?
|
How often do you get the chance to work on a potentially world-changing project?
|
|
|
lachesis
|
|
July 23, 2010, 06:22:08 PM |
|
The password definitely shouldn't be required. Also, the new code chokes on "rpcpassword=". If there's no config file, the config file doesn't contain an rpcpassword line, or it contains "rpcpassword=", the password should be disabled.
|
|
|
|
Gavin Andresen
Legendary
Offline
Activity: 1652
Merit: 2301
Chief Scientist
|
|
July 23, 2010, 06:51:34 PM |
|
The password definitely shouldn't be required.
I strongly disagree; software should be secure by default, and running bitcoind without a password (or bitcoin -server) is definitely NOT secure. I just don't see somebody saying "Man, Bitcoin sucks because I have to add a password to a configuration file before running it as a daemon." I can see somebody saying "Man, Bitcoin sucks because I accidently ran it with the -server switch and somebody stole all my money."
|
How often do you get the chance to work on a potentially world-changing project?
|
|
|
satoshi (OP)
Founder
Sr. Member
Offline
Activity: 364
Merit: 7193
|
|
July 23, 2010, 08:39:03 PM |
|
I don't think authentication should be disabled by default if there's no conf file or the config file doesn't contain "rpcpassword", but what if it contains "rpcpassword="?
I can see both points.
What if the programmer can't figure out how to do HTTP authentication in their language (Fortran or whatever) or it's not even supported by their JSON-RPC library? Should they be able to explicitly disable the password requirement?
OTOH, what if there's a template conf file, with rpcpassword= # fill in a password here
There are many systems that don't allow you to log in without a password. This forum, for instance. Gavin's point seems stronger.
BTW, I haven't tested it, but I hope having rpcpassword= in the conf file is valid. It's only if you use -server or -daemon or bitcoind that it should fail with a warning. If it doesn't need the password, it should be fine. Is that right?
|
|
|
|
Gavin Andresen
Legendary
Offline
Activity: 1652
Merit: 2301
Chief Scientist
|
|
July 23, 2010, 09:18:05 PM |
|
BTW, I haven't tested it, but I hope having rpcpassword= in the conf file is valid. It's only if you use -server or -daemon or bitcoind that it should fail with a warning. If it doesn't need the password, it should be fine. Is that right?
Yes, that's right, rpcpassword is only required if you use -server or -daemon or bitcoind (I just tested to be sure). RE: what if the programmer can't figure out how to make their legacy COBOL code do HTTP authentication? Then I think another config file setting to explicitly turn off RPC authentication would be better than a magical "if you set a blank rpcpassword then that turns off authentication." But I wouldn't implement that until somebody really does have a problem or until we have more than one way of doing the authentication (maybe https someday...). lachesis: is supporting HTTP Basic Authentication a problem for you?
|
How often do you get the chance to work on a potentially world-changing project?
|
|
|
lachesis
|
|
July 24, 2010, 02:46:23 AM Last edit: July 24, 2010, 02:59:28 AM by lachesis |
|
Gavin, no. I know my way around urllib2 so that's not a problem. I would like to see the option to disable password authentication in the bitcoin.conf. We really shouldn't be protecting (advanced) users from themselves.
I was just annoyed that to even start -server (albeit on my test client), I had to edit the config file and insert a password. I can always hack my version of Bitcoin to not require a password by default if that's what I want, but I don't like the fact that bitcoin completely fails to start when I put in "rpcpassword=" with -server. I think the right way to do it would be to warn users (perhaps with a popup box if the GUI is starting) but still start the other stuff, even if the RPC server won't start.
Running with a password only marginally improves the security for a lot of applications anyway, since that password will have to sit in an httpd-readable file for my web server to execute JSON-RPC commands. The only user that's ever been hacked on my server? httpd. It is an important step for machines with multiple users, though, as is allowing the port number to be changed.
|
|
|
|
lachesis
|
|
July 25, 2010, 07:52:35 PM Last edit: July 25, 2010, 08:34:20 PM by lachesis |
|
I found what appears to be a bug: with a long enough username and password combination, the base64 encoder in bitcoind produces authorization headers that look like this: POST / HTTP/1.1 User-Agent: json-rpc/1.0 Host: 127.0.0.1 Content-Type: application/json Content-Length: 40 Accept: application/json Authorization: Basic YWJiYWJiYWFiYmE6aGVsbG93b3JsZGhlbGxvd29ybGRoZWxsb3dvcmxkaGVsbG93 b3JsZGhlbGxvd29ybGRoZWxsb3dvcmxk
It inserts a newline every 64 characters, which obviously breaks the Authorization header, so commands like "bitcoin getinfo" fail. The server still works fine with properly behaving clients. This can be solved by removing the newlines (and maybe '\r's) from result at the end of the Base64Encode function: result.erase(std::remove(result.begin(), result.end(), '\n'), result.end()); result.erase(std::remove(result.begin(), result.end(), '\r'), result.end());
There's probably a more elegant solution, but that works for me. Here's a patch: http://www.alloscomp.com/bitcoin/patches/bitcoin-svn-109-rpcbug-2010-07-25.patch
|
|
|
|
gazoakley
Newbie
Offline
Activity: 12
Merit: 0
|
|
July 25, 2010, 08:08:02 PM |
|
Whilst putting some security in is a good idea, it appears the JSON-RPC PHP doesn't support basic HTTP authentication right now. It'd have to be hacked in. Is anyone else using similar libraries going to encounter the same problem?
Also, whilst we're on the subject is bitcoind only binding to the loopback interface?
|
|
|
|
lachesis
|
|
July 25, 2010, 08:30:16 PM |
|
Whilst putting some security in is a good idea, it appears the JSON-RPC PHP doesn't support basic HTTP authentication right now. It'd have to be hacked in. Is anyone else using similar libraries going to encounter the same problem?
Also, whilst we're on the subject is bitcoind only binding to the loopback interface?
The PHP library I'm using definitely supports HTTP Basic authentication. You just have to craft the URL right: http://username:password@localhost:8332/
|
|
|
|
gazoakley
Newbie
Offline
Activity: 12
Merit: 0
|
|
July 25, 2010, 08:34:53 PM |
|
Whilst putting some security in is a good idea, it appears the JSON-RPC PHP doesn't support basic HTTP authentication right now. It'd have to be hacked in. Is anyone else using similar libraries going to encounter the same problem?
Also, whilst we're on the subject is bitcoind only binding to the loopback interface?
The PHP library I'm using definitely supports HTTP Basic authentication. You just have to craft the URL right: http://username:password@localhost:8332/Of course, you can specify the username and password as part of the URL . Think a BC or two is deserved for that one - sent.
|
|
|
|
lachesis
|
|
July 25, 2010, 08:39:51 PM |
|
Think a BC or two is deserved for that one - sent. Thank you sir.
|
|
|
|
The Madhatter
|
|
July 25, 2010, 08:40:32 PM |
|
If you are using PHP+JSON+CURL you can easily specify the user/pass with a curl_setopt() line. The parameter is "CURLOPT_USERPWD". Thanks for the basic auth patch. Before the patch I was using uid/gid firewall lines to limit the bitcoind to only my special users/IPs that ran various scraps of code on crontabs. I'll likely still leave those protections in and just add in the basic http auth as well.
|
|
|
|
BitLex
|
|
July 25, 2010, 08:45:38 PM |
|
i got some problems here too trying to get this run on PHP. so far i had no luck, neither the wiki-sample (jsonRPCClient trying to fopen( http://username:password@localhost:8332/)), nor my curl-sample (using setopt CURLOPT_HTTPAUTH, CURLAUTH_BASIC) seem to work.
|
|
|
|
The Madhatter
|
|
July 25, 2010, 08:54:38 PM |
|
Hmm.. shouldn't it be using digest auth instead of basic auth? I usually wrap everything into SSL or IPSec anyway, but digest auth might keep noobs from getting pwned so easily.
|
|
|
|
|