[SERVER-8169] Need alternate password entry mechanism for PEM key Created: 14/Jan/13 Updated: 07/Apr/14 Resolved: 12/Apr/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | 2.5.0 |
| Type: | Improvement | Priority: | Critical - P2 |
| Reporter: | Barrie Segal | Assignee: | Eric Milkie |
| Resolution: | Done | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Participants: | |||||||||||||||||
| Description |
|
A significant hurdle to getting certain software accredited is removing all cleartext passwords from persistent storage on systems. As such, using a mongod startup script that included "--sslPEMKeyPassword <yourpassword>" would be a violation. The most straightforward solution to get around this would probably be allowing for interactive password entry whenever it isn't specified in SSL mode. |
| Comments |
| Comment by auto [ 12/Apr/13 ] |
|
Author: {u'date': u'2013-04-12T18:52:10Z', u'name': u'Eric Milkie', u'email': u'milkie@10gen.com'}Message: |
| Comment by auto [ 10/Apr/13 ] |
|
Author: {u'date': u'2013-04-10T14:47:20Z', u'name': u'Eric Milkie', u'email': u'milkie@10gen.com'}Message: I consolidated all the SSL Manager instances into one instance, so that the user is only prompted once |
| Comment by Jeff Segal [ 15/Feb/13 ] |
|
Eric, unfortunately that wouldn't help us - the key must be encrypted. Any update on this? It's most likely a blocker to get anything in production in DoD. |
| Comment by Eric Milkie [ 14/Jan/13 ] |
|
You can also simply not encrypt your private key in the PEM file; then you don't need to supply a password at all. |