[SERVER-46399] Only use configured authenticationMechanisms when performing intra-cluster authenticating Created: 25/Feb/20  Updated: 14/Nov/23  Resolved: 08/Jan/22

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 5.3.0-rc0

Type: Task Priority: Major - P3
Reporter: Sara Golemon Assignee: Adam Rayner
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Documented
is documented by DOCS-15019 Investigate changes in SERVER-46399: ... Closed
Related
related to SERVER-62334 Regression following SERVER-46399 Closed
Backwards Compatibility: Fully Compatible
Sprint: Security 2021-11-01, Security 2021-11-15, Security 2021-11-29, Security 2021-12-13, Security 2021-12-27, Security 2022-01-10
Participants:

 Description   

When we introduced SCRAM-SHA-256, we gave a special exception for the internalSecurity.user to authenticate using SCRAM-SHA-1 even if it wasn't configured.  This has been in use long enough that we should reexamine this decision and tighten up mechanism selection.



 Comments   
Comment by Githook User [ 31/Dec/21 ]

Author:

{'name': 'Adam Rayner', 'email': 'adam.rayner@gmail.com', 'username': 'adamtron'}

Message: SERVER-46399 remove SCRAM-SHA-1 as a default internal auth mech
Branch: master
https://github.com/mongodb/mongo/commit/9ec1e6e58e94d52d2f6a9bc167ff939118aa5134

Comment by Githook User [ 30/Nov/21 ]

Author:

{'name': 'Adam Rayner', 'email': 'adam.rayner@gmail.com', 'username': 'adamtron'}

Message: Revert "SERVER-46399 remove fallback SCRAM-SHA-1 for internalSecurity.user
Branch: master
https://github.com/mongodb/mongo/commit/1f2653f7d2b6d82af56f70e63c79a7cc3ba91d6e

Comment by Githook User [ 29/Nov/21 ]

Author:

{'name': 'Adam Rayner', 'email': 'adam.rayner@gmail.com', 'username': 'adamtron'}

Message: SERVER-46399 remove fallback SCRAM-SHA-1 for internalSecurity.user
Branch: master
https://github.com/mongodb/mongo/commit/7fa11ee0e0d8d283cc12bdebdd4940731d1536f1

Comment by Doug Tarr [ 21/May/21 ]

Yes, we support SCRAM-SHA-256. You can safely remove SCRAM-SHA-1 from any version of mongod from the perspective of mongot since in practice it is not used.

We still technically support SCRAM-SHA-1 for the same reason but we will remove it once it is removed from mongod.

Comment by Spencer Jackson [ 21/May/21 ]

doug.tarr, we're interested in making a change which would allow mongod processes to authenticate to each other using exclusively SCRAM-SHA-256. This would, however, prevent them from authenticating to or receiving authentication attempts from mongot using SCRAM-SHA-1. Our understanding is that mongot recently received support for SCRAM-SHA-256 for the FedRAMP initiative.

 

In your estimate, what release of MongoDB could this change be released in to avoid causing problems with mongot?

Generated at Thu Feb 08 05:11:23 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.