Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-439

SCRAM-SHA-256 Support

XMLWordPrintableJSON

    • Type: Icon: New Feature New Feature
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Component/s: None
    • None

      Update 2018-03-01: the updated auth spec is now available. Testing will require a master nightly server release (or waiting for 3.7.3).

      Original:

      The next version of MongoDB will include SCRAM-SHA-256 as an authentication type. This is defined in RFC 7677. The sample conversation from the RFC is:

       This is a simple example of a SCRAM-SHA-256 authentication exchange... The username
   'user' and password 'pencil' are being used

   C: n,,n=user,r=rOprNGfwEbeRWgbNEkqO

   S: r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,
      s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096

   C: c=biws,r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,
      p=dHzbZapWIk4jUhN+Ute9ytag9zjfMHgsqmmiz7AndVQ=

   S: v=6rriTRBi23WpRR/wtup+mMhUZUn/dB5nLTJRsjl95G4=

      In advance of updates to the Auth spec, which will include additional details of mechanism negotiation and user/password normalization (see DRIVERS-444), all drivers should take steps now to ensure their SCRAM libraries are capable of operating in SHA-256 mode, using the sample conversation for verification. (You'll need for force the client nonce to be "rOprNGfwEbeRWgbNEkqO" for the test conversation to work.)

      Drivers should validate when they have an RFC-7677 compliant SCRAM-SHA-256 implementation. An additional drivers ticket will be opened for Auth Spec changes based on the server's actual implementation.

      As of MongoDB 3.7.3 it is possible to create SCRAM-SHA-256 users for testing and development:

      MongoDB Enterprise > db.adminCommand( { getParameter: 1, featureCompatibilityVersion: 1 } )
{ "featureCompatibilityVersion" : { "version" : "3.6" }, "ok" : 1 }
MongoDB Enterprise > db.adminCommand( { setFeatureCompatibilityVersion: "4.0" } )
{ "ok" : 1 }
MongoDB Enterprise > db.createUser({user: 'foo', pwd: 'bar', roles: ['root'], mechanisms: ['SCRAM-SHA-1', 'SCRAM-SHA-256']})
Successfully added user: {
	"user" : "foo",
	"roles" : [
		"root"
	],
	"mechanisms" : [
		"SCRAM-SHA-1",
		"SCRAM-SHA-256"
	]
}
MongoDB Enterprise > db.system.users.find().pretty()
{
	"_id" : "admin.foo",
	"user" : "foo",
	"db" : "admin",
	"credentials" : {
		"SCRAM-SHA-1" : {
			"iterationCount" : 10000,
			"salt" : "/F0KadCJa77F/zdIjz7zRQ==",
			"storedKey" : "2I0MCswchy/1V9Z6lWIzt9NXYA4=",
			"serverKey" : "hl59xG+Us9udS/dR2N60Rh66zKA="
		},
		"SCRAM-SHA-256" : {
			"iterationCount" : 15000,
			"salt" : "PrVrIA6rsotQQkrytZ1nkN6ZGX2AZXm7FpQzMg==",
			"storedKey" : "vgoknTccjZtSnhUcjbgxG4wP4CjPEstQIFKehH/2zS4=",
			"serverKey" : "p85+pVuVb2yKlOgNF9Q+we0yp5xmPjJo9/oI5EA+WT8="
		}
	},
	"roles" : [
		{
			"role" : "root",
			"db" : "admin"
		}
	]
}

      The server has to be in 4.0 feature compatibility mode for SCRAM-SHA-256 credentials to be created. See SERVER-32974 for more details.

      ------------------

      Update 2/22 - The default FCV is now 4.0 in MongoDB master, enabling SCRAM-SHA-256 support by default.

            Assignee:
            rathi.gnanasekaran Rathi Gnanasekaran
            Reporter:
            rathi.gnanasekaran Rathi Gnanasekaran
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: