Skip to content

NAS-138594 / 26.04 / Add client support for SCRAM-SHA512 auth for API keys #49

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
anodos325 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

NAS-138594 / 26.04 / Add client support for SCRAM-SHA512 auth for API keys #49

anodos325 wants to merge 1 commit into from

Conversation

@anodos325
Copy link
Contributor

@anodos325 anodos325 commented Nov 17, 2025

This commit adds the ability for our API client and midclt command to perform SCRAM-SHA512 authentication to a TrueNAS server. This new authentication mechanism provides replay resistance and detection of case where the remote server is (possibly maliciously) granting us access without actually having access to either the API key's hash or keys derived from said hash. The new authentication mechanism is only attempted if the TrueNAS server reports that it supports the mechanism.

@anodos325 anodos325 added the WIP label Nov 17, 2025
@anodos325 anodos325 force-pushed the add-scram-auth branch 3 times, most recently from 12ec52e to cfca481 Compare November 18, 2025 14:04
@anodos325
Add client support for SCRAM-SHA512 auth for API keys
0ff9448 
This commit adds the ability for our API client and midclt command to
perform SCRAM-SHA512 authentication to a TrueNAS server. This new
authentication mechanism provides replay resistance and detection of
case where the remote server is (possibly maliciously) granting us
access without actually having access to either the API key's hash or
keys derived from said hash.  The new authentication mechanism is only
attempted if the TrueNAS server reports that it supports the mechanism.
@bugclerk bugclerk changed the title Add client support for SCRAM-SHA512 auth for API keys NAS-138594 / 26.04 / Add client support for SCRAM-SHA512 auth for API keys Nov 18, 2025
@bugclerk
Copy link

bugclerk commented Nov 18, 2025

Jira URL: https://ixsystems.atlassian.net/browse/NAS-138594

billohanlon
billohanlon reviewed Nov 18, 2025
View reviewed changes
truenas_api_client/py_scram/client_final.py


class ClientFinalMessage:
__rfc_str = '<UNITIALIZED>'
Copy link

@billohanlon billohanlon Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo for uninitialized? Is the value important?

billohanlon
billohanlon approved these changes Nov 18, 2025
View reviewed changes
Copy link

@billohanlon billohanlon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@billohanlon billohanlon billohanlon approved these changes

Assignees

No one assigned

Labels

jira-medium WIP

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@anodos325 @bugclerk @billohanlon