[SERVER-32978] Add negotiation support for SCRAM-SHA-256 for internal auth Created: 29/Jan/18  Updated: 29/Oct/23  Resolved: 14/Nov/18

Status: Closed
Project: Core Server
Component/s: Security, Upgrade/Downgrade
Affects Version/s: None
Fix Version/s: 4.1.6

Type: Improvement Priority: Major - P3
Reporter: Spencer Jackson Assignee: Jonathan Reams
Resolution: Fixed Votes: 0
Labels: platforms_security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on SERVER-34930 Give internal cluster user SCRAM-SHA-... Closed
Problem/Incident
Related
Backwards Compatibility: Fully Compatible
Sprint: Security 2018-09-24, Security 2018-11-19
Participants:
Linked BF Score: 33

 Description   

Make nodes accept SCRAM-SHA-256 authentication for the internal user. Use the existing SASL mechanism negotiation (written for the drivers) to decide when to make outbound SCRAM-SHA-256 authentication attempts, and when to reject SCRAM-SHA-1 for inbound attempts.



 Comments   
Comment by Githook User [ 17/Nov/18 ]

Author:

{'name': 'Jonathan Reams', 'email': 'jbreams@mongodb.com', 'username': 'jbreams'}

Message: SERVER-32978 Add security level to LDAP sasl mech
Branch: tongo
https://github.com/10gen/mongo-enterprise-modules/commit/9b654590ac6ce3e639a529fd5a3bbbe57be1de76

Comment by Githook User [ 15/Nov/18 ]

Author:

{'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}

Message: SERVER-32978 Implement proper strict weak ordering
Branch: master
https://github.com/mongodb/mongo/commit/ba8c39a1ee89e4edc6e2613c31a2dd6f8b7f493d

Comment by Jonathan Reams [ 14/Nov/18 ]

Although this shouldn't change anything for the drivers, the order of the sasl mechanisms returned during isMaster sasl mechanism discovery has changed. Before there was no order, it was whatever order the mechanisms were retreived from an unordered_map in. Now they are sorted by their "security level" with SCRAM-SHA-256 sorting as the highest SASL mech and PLAIN sorting as the lowest. In the future, you can select what the server thinks is the strongest SASL mechanism by selecting the first element in the returned list.

Comment by Githook User [ 14/Nov/18 ]

Author:

{'name': 'Jonathan Reams', 'email': 'jbreams@mongodb.com', 'username': 'jbreams'}

Message: SERVER-32978 Advertise SCRAM-SHA-256 authentication for the internal user
Branch: master
https://github.com/mongodb/mongo/commit/a8bfcc13011c5e859a10e56ce882a0d53a0a2031

Comment by Githook User [ 14/Nov/18 ]

Author:

{'name': 'Jonathan Reams', 'email': 'jbreams@mongodb.com', 'username': 'jbreams'}

Message: SERVER-32978 Add security level to LDAP sasl mech
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/9b654590ac6ce3e639a529fd5a3bbbe57be1de76

Generated at Thu Feb 08 04:31:54 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.