[SERVER-8453] Encrypted Password Feature Created: 06/Feb/13  Updated: 15/Feb/13  Resolved: 06/Feb/13

Status: Closed
Project: Core Server
Component/s: Admin
Affects Version/s: 2.2.2
Fix Version/s: None

Type: Question Priority: Trivial - P5
Reporter: Mark Bosakowski Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Red Hat Linux running on VMWare


Participants:

 Description   

We are currently in a security audit, and our last understanding was that for administrative purposes, MongoDB did not provide a mechanism to provide a user/password that could be encrypted when sent over the wire. Basically the password was in the clear which is considered a security vulnerability.

I know MMS uses 128 bit SSL, however our admin application creates the Virtual Machines(Red Hat), and installs the MongoDB, build the shards and does whatever admin work is required to automatically install, configure and start the mongo database.

A former employee had reported that as of December 2012, there was no encryption of passwords available in MongoDB for these purposes. Is this correct?

Is there a facility in MongoDB, or in any of the drivers that enables you to login to MongoDB, with encryption of username and/or password? If not, is this feature scheduled for future releases and if so, when would they become available for testing.



 Comments   
Comment by Andy Schwerin [ 06/Feb/13 ]

Passwords are never sent, and the one-way hash of passwords are only transmitted to the server when setting/changing them. At all other times, a challenge-response protocol is used. However, one-way hashes of passwords are transmitted to secondaries during replication of system.users collections. SSL is advised for all traffic when trying to ensure privacy and integrity of communication.

Comment by Mark Bosakowski [ 06/Feb/13 ]

Our setup application is written in Perl, but I am porting it to "C". Is there a C Language Mongo client API that supports SSL?

Generated at Thu Feb 08 03:17:28 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.