The wording on this page http://www.mongodb.org/display/DOCS/Security+and+Authentication implies that you can use --auth without --keyFile.

In particular, here http://www.mongodb.org/display/DOCS/Security+and+Authentication#SecurityandAuthentication-ReplicaSetandShardingAuthentication , the beginning says "Replica sets and sharding can use authentication...." note "can." At the end of the section, where it explains that keyFile implies auth, but not vice versa, it again sounds like I can run with auth (plain), or with keyFile (which implies auth).

Got a customer who's trying to do this and its failing. In an email thread on the subject, Scott said "Yes, you cannot use authentication without keyfile on a replicaset or sharded cluster. The keyfiles is the auth part when it is not initiated from a user – like replication or chunk migration." This should be added to the page, and the wording changed so the choice is not implied.