[SERVER-7456] MongoDB commands requiring passwords should be able to prompt for its entry (without it being displayed) Created: 24/Oct/12  Updated: 09/Jul/16  Resolved: 06/Nov/12

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.2.0
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Simon Harvey Assignee: Andy Schwerin
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

RHEL 6


Participants:

 Description   

Currently when default authentication is in place many MongoDB commands such as mongodump, mongorestore, mongostat and mongotop require that the password is entered as a parameter in clear text. This risks the password being compromised (e.g. by shoulder surfing). All such commands should enable the user to enter the password without it being echoed, e.g. by prompting for it.



 Comments   
Comment by Andy Schwerin [ 08/Nov/12 ]

No problem, Simon. We've marked this one for a documentation update.

Comment by Simon Harvey [ 08/Nov/12 ]

Thanks Andy - I hadn't realised that this was possible, but have tested using V2.2 with mongo, mongodump, mongostat etc. and it works as you describe.

Regards,

Simon.

Comment by Andy Schwerin [ 06/Nov/12 ]

The tools and shell will prompt the user for a password if the user passes the --password flag with no argument or an empty argument. For example,

$ ./mongo --username andy --password
MongoDB shell version: 2.3.1-pre-
Enter password:

Generated at Thu Feb 08 03:14:35 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.