[SERVER-7540] The MongoDB challenge response authentication takes place over clear text Created: 02/Nov/12 Updated: 15/Feb/13 Resolved: 02/Nov/12 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 2.2.0 |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Minor - P4 |
| Reporter: | Simon Harvey | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
RHEL 6.2 |
||
| Participants: |
| Description |
|
The following process appears to be used for authenticating the client: 1. Client sends getnonce command to server. Key = MD5(nonce + username + MD5(username + “:Mongo:” + password)) 4. Client sends the key, nonce, and the username to the server The fact that the server uses a randomly generated nonce eliminates |
| Comments |
| Comment by Simon Harvey [ 09/Nov/12 ] |
|
Andy, Apologies for the delay responding on this - I had originally thought that this testing had been done with SSL already in place, but have just had confirmation from the tester that this wasn't the case and after re-testing he has confirmed that everything is correctly encrypted when SSL is used - so please close this down. Regards, Simon. |
| Comment by Andy Schwerin [ 02/Nov/12 ] |
|
The solution for users on insecure networks is to use SSL or TLS support in Mongo to secure connections, or (less common) to construct a secure VPN. |