Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-439

SCRAM-SHA-256 Support

XMLWordPrintableJSON

    • Type: Icon: New Feature New Feature
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Component/s: None
    • Labels:
      None
    • $i18n.getText("admin.common.words.hide")
      Key Status/Resolution FixVersion
      NODE-1311 Fixed 3.1.0
      SCALA-375 Fixed 2.4.0
      PYTHON-1464 Fixed 3.7
      CSHARP-2171 Fixed 2.7.0
      PERL-858 Works as Designed
      RUBY-1293 Fixed 2.6.0
      JAVA-2771 Fixed 3.8.0
      CXX-1509 Fixed 3.4.0
      PHPC-1108 Fixed 1.5.0
      MOTOR-194 Fixed 2.0
      GODRIVER-216 Fixed 0.0.12
      CDRIVER-2491 Fixed 1.11.0
      RUST-87 Fixed 0.9.0-alpha
      SWIFT-441 Done
      $i18n.getText("admin.common.words.show")
      #scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion NODE-1311 Fixed 3.1.0 SCALA-375 Fixed 2.4.0 PYTHON-1464 Fixed 3.7 CSHARP-2171 Fixed 2.7.0 PERL-858 Works as Designed RUBY-1293 Fixed 2.6.0 JAVA-2771 Fixed 3.8.0 CXX-1509 Fixed 3.4.0 PHPC-1108 Fixed 1.5.0 MOTOR-194 Fixed 2.0 GODRIVER-216 Fixed 0.0.12 CDRIVER-2491 Fixed 1.11.0 RUST-87 Fixed 0.9.0-alpha SWIFT-441 Done

      Update 2018-03-01: the updated auth spec is now available. Testing will require a master nightly server release (or waiting for 3.7.3).

      Original:

      The next version of MongoDB will include SCRAM-SHA-256 as an authentication type. This is defined in RFC 7677. The sample conversation from the RFC is:

       This is a simple example of a SCRAM-SHA-256 authentication exchange... The username
   'user' and password 'pencil' are being used

   C: n,,n=user,r=rOprNGfwEbeRWgbNEkqO

   S: r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,
      s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096

   C: c=biws,r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,
      p=dHzbZapWIk4jUhN+Ute9ytag9zjfMHgsqmmiz7AndVQ=

   S: v=6rriTRBi23WpRR/wtup+mMhUZUn/dB5nLTJRsjl95G4=

      In advance of updates to the Auth spec, which will include additional details of mechanism negotiation and user/password normalization (see DRIVERS-444), all drivers should take steps now to ensure their SCRAM libraries are capable of operating in SHA-256 mode, using the sample conversation for verification. (You'll need for force the client nonce to be "rOprNGfwEbeRWgbNEkqO" for the test conversation to work.)

      Drivers should validate when they have an RFC-7677 compliant SCRAM-SHA-256 implementation. An additional drivers ticket will be opened for Auth Spec changes based on the server's actual implementation.

      As of MongoDB 3.7.3 it is possible to create SCRAM-SHA-256 users for testing and development:

      MongoDB Enterprise > db.adminCommand( { getParameter: 1, featureCompatibilityVersion: 1 } )
{ "featureCompatibilityVersion" : { "version" : "3.6" }, "ok" : 1 }
MongoDB Enterprise > db.adminCommand( { setFeatureCompatibilityVersion: "4.0" } )
{ "ok" : 1 }
MongoDB Enterprise > db.createUser({user: 'foo', pwd: 'bar', roles: ['root'], mechanisms: ['SCRAM-SHA-1', 'SCRAM-SHA-256']})
Successfully added user: {
	"user" : "foo",
	"roles" : [
		"root"
	],
	"mechanisms" : [
		"SCRAM-SHA-1",
		"SCRAM-SHA-256"
	]
}
MongoDB Enterprise > db.system.users.find().pretty()
{
	"_id" : "admin.foo",
	"user" : "foo",
	"db" : "admin",
	"credentials" : {
		"SCRAM-SHA-1" : {
			"iterationCount" : 10000,
			"salt" : "/F0KadCJa77F/zdIjz7zRQ==",
			"storedKey" : "2I0MCswchy/1V9Z6lWIzt9NXYA4=",
			"serverKey" : "hl59xG+Us9udS/dR2N60Rh66zKA="
		},
		"SCRAM-SHA-256" : {
			"iterationCount" : 15000,
			"salt" : "PrVrIA6rsotQQkrytZ1nkN6ZGX2AZXm7FpQzMg==",
			"storedKey" : "vgoknTccjZtSnhUcjbgxG4wP4CjPEstQIFKehH/2zS4=",
			"serverKey" : "p85+pVuVb2yKlOgNF9Q+we0yp5xmPjJo9/oI5EA+WT8="
		}
	},
	"roles" : [
		{
			"role" : "root",
			"db" : "admin"
		}
	]
}

      The server has to be in 4.0 feature compatibility mode for SCRAM-SHA-256 credentials to be created. See SERVER-32974 for more details.

      ------------------

      Update 2/22 - The default FCV is now 4.0 in MongoDB master, enabling SCRAM-SHA-256 support by default.

            Assignee:
            rathi.gnanasekaran Rathi Gnanasekaran
            Reporter:
            rathi.gnanasekaran Rathi Gnanasekaran
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: