[DOCS-15627] Denote default SCRAM as SHA-256 in docs somewhere Created: 13/Sep/22  Updated: 30/Oct/23  Resolved: 26/Jul/23

Status: Closed
Project: Documentation
Component/s: manual, Server
Affects Version/s: None
Fix Version/s: Server_Docs_20231030

Type: Task Priority: Major - P3
Reporter: Matthew Javaly Assignee: Nick Villahermosa
Resolution: Fixed Votes: 0
Labels: server-docs-bug-bash
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Participants:
Days since reply: 28 weeks ago
Epic Link: DOCSP-11702

 Description   

I was trying to figure out which authentication mechanism that new users would use by default, and it looks like SCRAM-SHA-256 is the default for 4.4 and 5.0. I couldn't determine this value from the logs in 4.2.

I think it would be useful to include this in the logs, so that customers know if they are not specifying authMechanism in the URI string, their db users will use SHA-256:

https://www.mongodb.com/docs/manual/reference/connection-string/#mongodb-urioption-urioption.authMechanism

I'm not sure if it's important, but without specifying anything in the db.createUser command about the auth mechanism, the users all get created with SHA-1 and SHA-256 under the "mechanisms" field.



 Comments   
Comment by Nick Villahermosa [ 26/Jul/23 ]

Backported to 6.3, 6.0, 5.0, 4.4

Comment by Nick Villahermosa [ 25/Jul/23 ]

https://github.com/mongodb/docs-mongodb-shell/pull/274 merged to docs-mongodb-shell

Comment by Matthew Javaly [ 13/Sep/22 ]

Also, I think this page needs to be updated:

https://www.mongodb.com/docs/mongodb-shell/reference/options/#std-option-mongosh.--authenticationMechanism

The page says that the default value for this option is SCRAM-SHA-1, but when I connected to MongoDB 4.4 with a database user that had both SCRAM-SHA-1 and SCRAM-SHA-256 in "mechanisms", the mongosh shell used SCRAM-SHA-256. When I connected with a database user that had only SCRAM-SHA-1, the log file has an "Authentication failed" message from trying SCRAM-SHA-256 first, and then a "Successful authentication" from trying SCRAM-SHA-1 afterward.

Generated at Thu Feb 08 08:13:24 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.