[SERVER-34626] Remove SCRAM-SHA-1 specific intracluster auth checks from SCRAM-SHA-256 Created: 23/Apr/18  Updated: 29/Oct/23  Resolved: 04/May/18

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 4.0.0-rc0

Type: Bug Priority: Major - P3
Reporter: Spencer Jackson Assignee: Spencer Jackson
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Backwards Compatibility: Fully Compatible
Operating System: ALL
Sprint: Platforms 2018-05-07
Participants:

 Description   

SERVER-16534 defined a scheme which allows SCRAM-SHA-1 to work when a keyfile has been set, but no password based authentication mechanism has been enabled. The logic for this is embedded into the SCRAM implementation, but assumes that it's exclusive to SCRAM-SHA-1.

If SCRAM-SHA-256 is the only enabled authentication mechanism, and the user authenticating is not the intracluster user, this check may cause auth to fail with the following error:

2018-04-23T17:59:19.579-0400 I ACCESS   [conn1] SASL SCRAM-SHA-256 authentication failed for sajack on test from client 127.0.0.1:35206 ; BadValue: SCRAM-SHA-1 authentication is disabled



 Comments   
Comment by Githook User [ 04/May/18 ]

Author:

{'email': 'spencer.jackson@mongodb.com', 'name': 'Spencer Jackson', 'username': 'spencerjackson'}

Message: SERVER-34626: Remove SCRAM-SHA-1 specific auth checks from SCRAM-SHA-256
Branch: master
https://github.com/mongodb/mongo/commit/67f8f9532c48911cf885b69723ef41774762d275

Generated at Thu Feb 08 04:37:18 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.