[SERVER-32978] Add negotiation support for SCRAM-SHA-256 for internal auth Created: 29/Jan/18 Updated: 29/Oct/23 Resolved: 14/Nov/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security, Upgrade/Downgrade |
| Affects Version/s: | None |
| Fix Version/s: | 4.1.6 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Spencer Jackson | Assignee: | Jonathan Reams |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | platforms_security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||
| Sprint: | Security 2018-09-24, Security 2018-11-19 | ||||||||||||||||
| Participants: | |||||||||||||||||
| Linked BF Score: | 33 | ||||||||||||||||
| Description |
|
Make nodes accept SCRAM-SHA-256 authentication for the internal user. Use the existing SASL mechanism negotiation (written for the drivers) to decide when to make outbound SCRAM-SHA-256 authentication attempts, and when to reject SCRAM-SHA-1 for inbound attempts. |
| Comments |
| Comment by Githook User [ 17/Nov/18 ] |
|
Author: {'name': 'Jonathan Reams', 'email': 'jbreams@mongodb.com', 'username': 'jbreams'}Message: |
| Comment by Githook User [ 15/Nov/18 ] |
|
Author: {'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}Message: |
| Comment by Jonathan Reams [ 14/Nov/18 ] |
|
Although this shouldn't change anything for the drivers, the order of the sasl mechanisms returned during isMaster sasl mechanism discovery has changed. Before there was no order, it was whatever order the mechanisms were retreived from an unordered_map in. Now they are sorted by their "security level" with SCRAM-SHA-256 sorting as the highest SASL mech and PLAIN sorting as the lowest. In the future, you can select what the server thinks is the strongest SASL mechanism by selecting the first element in the returned list. |
| Comment by Githook User [ 14/Nov/18 ] |
|
Author: {'name': 'Jonathan Reams', 'email': 'jbreams@mongodb.com', 'username': 'jbreams'}Message: |
| Comment by Githook User [ 14/Nov/18 ] |
|
Author: {'name': 'Jonathan Reams', 'email': 'jbreams@mongodb.com', 'username': 'jbreams'}Message: |