From: Remi Gacogne Date: Wed, 30 Jun 2021 14:04:04 +0000 (+0200) Subject: Document that hashed credentials can be used without 'webserver-hash-plaintext-creden... X-Git-Tag: dnsdist-1.7.0-alpha1~12^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=165c55371b0a8c0f643a05c2dd8cdb369d8b24da;p=thirdparty%2Fpdns.git Document that hashed credentials can be used without 'webserver-hash-plaintext-credentials' --- diff --git a/docs/settings.rst b/docs/settings.rst index 423a588afc..6d2c3b6985 100644 --- a/docs/settings.rst +++ b/docs/settings.rst @@ -137,7 +137,7 @@ Enable/disable the :doc:`http-api/index`. .. versionchanged:: 4.6.0 This setting now accepts a hashed and salted version. -Static pre-shared authentication key for access to the REST API. Since 4.6.0 the key can be hashed and salted using ``pdnsutil hash-password`` instead of being stored in the configuration in plaintext. +Static pre-shared authentication key for access to the REST API. Since 4.6.0 the key can be hashed and salted using ``pdnsutil hash-password`` instead of being stored in the configuration in plaintext, but the plaintext version is still supported. .. _setting-autosecondary: @@ -1783,7 +1783,8 @@ Webserver/API access is only allowed from these subnets. - Boolean - Default: no -Whether passwords and API keys supplied as plaintext should be hashed during startup, to prevent the plaintext versions from staying in memory. Doing so increases significantly the cost of verifying credentials. +Whether passwords and API keys supplied in the configuration as plaintext should be hashed during startup, to prevent the plaintext versions from staying in memory. Doing so increases significantly the cost of verifying credentials and is thus disabled by default. +Note that this option only applies to credentials stored in the configuration as plaintext, but hashed credentials are supported without enabling this option. .. _setting-webserver-loglevel: @@ -1844,7 +1845,7 @@ Maximum request/response body size in megabytes. - String -Password required to access the webserver. Since 4.6.0 the password can be hashed and salted using ``pdnsutil hash-password`` instead of being in plaintext. +Password required to access the webserver. Since 4.6.0 the password can be hashed and salted using ``pdnsutil hash-password`` instead of being present in the configuration in plaintext, but the plaintext version is still supported. .. _setting-webserver-port: diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst index 750a98ea7c..0023719f5c 100644 --- a/pdns/recursordist/docs/settings.rst +++ b/pdns/recursordist/docs/settings.rst @@ -101,7 +101,7 @@ Directory where the REST API stores its configuration and zones. - String - Default: unset -Static pre-shared authentication key for access to the REST API. Since 4.6.0 the key can be hashed and salted using ``rec_control hash-password`` instead of being stored in the configuration in plaintext. +Static pre-shared authentication key for access to the REST API. Since 4.6.0 the key can be hashed and salted using ``rec_control hash-password`` instead of being stored in the configuration in plaintext, but the plaintext version is still supported. .. _setting-api-readonly: @@ -2119,7 +2119,8 @@ of /32 or /128. - Boolean - Default: no -Whether passwords and API keys supplied as plaintext should be hashed during startup, to prevent the plaintext versions from staying in memory. Doing so increases significantly the cost of verifying credentials. +Whether passwords and API keys supplied in the configuration as plaintext should be hashed during startup, to prevent the plaintext versions from staying in memory. Doing so increases significantly the cost of verifying credentials and is thus disabled by default. +Note that this option only applies to credentials stored in the configuration as plaintext, but hashed credentials are supported without enabling this option. .. _setting-webserver-loglevel: @@ -2172,7 +2173,7 @@ The value between the hooks is a UUID that is generated for each request. This c - String - Default: unset -Password required to access the webserver. Since 4.6.0 the password can be hashed and salted using ``rec_control hash-password`` instead of being in plaintext. +Password required to access the webserver. Since 4.6.0 the password can be hashed and salted using ``rec_control hash-password`` instead of being present in the configuration in plaintext, but the plaintext version is still supported. .. _setting-webserver-port: