Comments (2)
Surprisingly I found very few instances of rpcuser
and rpcpassword
remaining in the docs. I updated their usage, and the example init scripts, in this branch to see the scope of changes that would be required on the doc side.
I think if we want to fully deprecate these options, the changes in that branch along with #28167 as mentioned above, should come first.
My opinion is that it would be best to still try and fully deprecate these, but due to how widely they are used we will have to include some highly visible warnings about the new behaviour... Some thoughts I had on this:
- We would need to decide if having these keys in
bitcoin.conf
would halt bitcoind/-qt startup- If we don't fail startup (just log a warning to debug.log and ignore the options) users would wonder why their RPC calls are "mysteriously" failing when their credentials match those in
bitcoin.conf
. Presumably Bitcoin Core would silently be using a .cookie in this case. - If we do fail startup then it's possible that many (semi) automated node setups would simply fail to start back up after an upgrade -- without manual intervention to remove these keys from the config -- which seems pretty sub-optimal.
- If we don't fail startup (just log a warning to debug.log and ignore the options) users would wonder why their RPC calls are "mysteriously" failing when their credentials match those in
- Asking users who have always been able to just run the binaries + a config file, to now run a python script from
share/
to generate auth credentials feels a bit, messy?- Perhaps
bitcoin-cli
should get ageneraterpcauth
command?
- Perhaps
An alternative might be to not deprecate these options at all, but instead we could require specific permissions on the bitcoin.conf
file itself, like how ssh
requires specific permissions of 600
for id_rsa
private key files. I don't like this idea much as it is not providing the same level of security as the rpcauth
directive, and AFAIU doesn't bring benefit to Windows users in the same way. But it is quite similar in protection mechanism to the cookie file (i.e. read access to the (config) file grants you RPC access). Notably this does not solve the same fail-to-restart-after-upgrade issues mentioned above. The config file permissions option doesn't seem to me to offer enough reward:risk.
from bitcoin.
If we are going to deprecate these options, now seems like a good time to do so. We could start with updating all exmaples / docs in this repository, to remove any
rpcuser
/rpcpass
usage.
That should definitely be done first.
One thing with cookie auth, that currently needs hacks, is allowing cookie access for other users. #28167
from bitcoin.
Related Issues (20)
- Considerations on adding Bitcoin blockchain-based Github spam management strategy HOT 4
- Standardize v0 witness outputs of any length HOT 2
- Testnet fixed seeds don't work HOT 6
- migratewallet: backup file has inconvenient name HOT 4
- Distinguish between bad-txns-inputs-missingorspent HOT 2
- .
- Current default settings are broken, some fix is needed HOT 8
- Sparrow Wallet Version 1.8.4 and Bitcoin Core: Issues Connecting HOT 3
- AssumeUTXO Mainnet Readiness Tracking HOT 11
- V2 Only Option HOT 15
- test: Intermittent issue in p2p_leak_tx.py in test_notfound_on_replaced_tx HOT 4
- none address HOT 3
- getrawtransaction returns data with no address for scriptPubkey HOT 1
- Disallow certain message types under BIP324 v2 transport HOT 2
- feature_asmap.py intermittent fail ( AssertionError: [node 0] Expected messages "['CheckAddrman: new 2, tried 2, total 4 started', 'CheckAddrman: completed']" does not partially match log:) HOT 4
- valgrind: Conditional jump or move depends on uninitialised value(s) HOT 20
- [tests] Race between test code and code in net thread HOT 2
- util-{util,wallet}: undefined reference to `evhttp_uridecode' HOT 2
- CFilters reject and disconnect peers with a valid block hash HOT 4
- 100,000โฏแนฉ/vB is excessive as a sanity check on feerate HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bitcoin.