Verify that auth-related properties are well-formed
Passing unexpected values to auth fields can result in server
issues. Notably, setting "iterations" to a string will cause an
infinite loop as the comparison 'when Iteration > Iterations' will
never evaluate to true.
The latest validate_doc_update prevents user docs with this problem
and administrators can deploy that check themselves (and only
administrators can edit design documents).
A server administrator can also insist on lower and upper bounds for
iteration count to reject weakly protected passwords and
resource-hungry passwords respectively.
COUCHDB-2221
diff --git a/src/config/auth.rst b/src/config/auth.rst
index 4127288..8311140 100644
--- a/src/config/auth.rst
+++ b/src/config/auth.rst
@@ -166,6 +166,30 @@
[couch_httpd_auth]
iterations = 10000
+ .. config:option:: min_iterations :: Minimum PBKDF2 iterations count
+
+ .. versionadded:: 1.6
+
+ The minimum number of iterations allowed for passwords hashed by
+ the PBKDF2 algorithm. Any user with fewer iterations is forbidden.
+
+ ::
+
+ [couch_httpd_auth]
+ min_iterations = 100
+
+ .. config:option:: max_iterations :: Maximum PBKDF2 iterations count
+
+ .. versionadded:: 1.6
+
+ The maximum number of iterations allowed for passwords hashed by
+ the PBKDF2 algorithm. Any user with greater iterations is forbidden.
+
+ ::
+
+ [couch_httpd_auth]
+ max_iterations = 100000
+
.. config:option:: proxy_use_secret :: Force proxy auth use secret token
