[SERVER-6406] Add authentication module Created: 11/Jul/12  Updated: 16/Nov/21  Resolved: 03/Oct/12

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Major - P3
Reporter: Ian Whalen (Inactive) Assignee: Andy Schwerin
Resolution: Duplicate Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by SERVER-6407 Authenticate users via LDAP proxy Closed
is depended on by SERVER-3591 Kerberos Support Closed
Duplicate
duplicates SERVER-7115 Modular Authentication support Closed
Related
related to SERVER-7042 The shell should be able to report wh... Closed
Participants:

 Comments   
Comment by Andy Schwerin [ 03/Oct/12 ]

SERVER-7115 tracks progress on this issue.

Comment by Andy Schwerin [ 03/Oct/12 ]

SERVER-7115 tracks progress on this feature.

Comment by Andy Schwerin [ 05/Sep/12 ]

@David, thanks for the clarification. The current authentication mechanism in Mongo doesn't (to the best of my recollection) support transmitting the password at all, except when setting the shared secret in the create-user process. As a result, it would require client modification to support externalizing password validation through PAM. However, point taken, and we will at least consider PAM support.

Comment by David McLennan [ 05/Sep/12 ]

For windows, sadly PAM is not naively available - however it would be reasonable to just use Kerberos via GSSAPI (which wraps the SSPI - please see here http://msdn.microsoft.com/en-us/library/windows/desktop/aa380496(v=vs.85).aspx) since that's how the vast majority of windows services authenticate today.

Comment by David McLennan [ 05/Sep/12 ]

@Andy, you are correct - the PAM stack is geared towards servicing username/password authentication and does not support the notion of ticket management (including encrypted transmission between the client & server) natively. It does support authenticating user names & passwords via kerberos on the server side via pam_krb5 (which essentially takes the username & password and runs a kinit on the server side with them, if a TGT can be acquired, then its successful).

Other vendors we work with support a "dual authentication" strategy where the server supports PAM for username and password authentication, and separately Kerberos for the client and server using the GSSAPI, which is available on all modern windows and unix distributions.

PAM support for username/password authentication involves no work on the client, and a very modest amount of work on the server to externalize the authentication call to PAM. (Note that most sites have the additional requirement that the password not be transmitted by the client to the server in clear text).

Kerberos / GSSAPI support for username/password authentication involves work on both the client and server sides to make the necessary GSSAPI calls to acquire the necessary service tickets from the TGT credential cache and transmit that to the server in a secure manner.

Comment by Andy Schwerin [ 31/Aug/12 ]

@David, it's a good idea. However, as I understand it, PAM's kerberos support is geared towards initial logins – obtaining a ticket granting ticket – rather than obtaining a service ticket, as you would do when connecting to an IMAP server or database. Suppose you're logged into your client machine, C. The Mongo instance is running on machine S. You have already obtained your TGT and it's cached on machine C. You fire up the mongo shell, and wish to authenticate to the mongo instance on S. How do you use PAM to get your service ticket, and provide it to the mongo instance on S?

Comment by David McLennan [ 31/Aug/12 ]

Consider externalizing your authentication calls with PAM. This would allow customers the flexibility of choosing what actual authentication mechanism to use via the pam configuration, and keep things in MongoDB lightweight.

Generated at Thu Feb 08 03:11:35 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.