-
Type: Question
-
Resolution: Duplicate
-
Priority: Major - P3
-
None
-
Affects Version/s: 1.9.0
-
Component/s: Security
-
None
-
Environment:Windows/Linux/Freebsd
1. Password hash values should be stored using a random salt and hashed using a strong hash such as SHA256.
2. Hash values should not be sent over the network, even as part of a digest.
3. Authentication requests should be protected against replay .
4. Credentials storage should be protected against access from all users except DBA's. This includes the actual database files that
store the encrypted credentials.
5. Ensure integrity of replicated data using either PKI or HMAC technology.
6. Authentication should occur only over secure channels. Support for SSL/TLS communication should be added for authentication. This
should include client certificate authentication for the purpose of mutually authenticating replication partners. Even with anti-
replay nonce values and encrypted "keys" clear text authentication will be vulnerable to man-in-the middle attacks.
7. Provisions for more granular levels of authorization should be added to include provisions for groups and roles for database
users.
- depends on
-
SERVER-524 Encryption of wire protocol with SSL
- Closed
-
SERVER-3198 Ability to restrict operations by role
- Closed
-
SERVER-6407 Authenticate users via LDAP proxy
- Closed
-
SERVER-3591 Kerberos Support
- Closed
-
SERVER-6746 Authentication should only occur over secure channels
- Closed