Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-10322

The mongo shell should require a username when using MONGODB-X509 for authentication.

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Minor - P4
    • Resolution: Fixed
    • 2.5.1
    • 2.5.2
    • Security, Shell
    • ALL

    Description

      In the 2.5.1 shell a username is not required to do X509 auth:

      $ ./mongo --ssl --sslPEMKeyFile jstests/libs/client.pem 
      MongoDB shell version: 2.5.1
      connecting to: test
      > use $external
      switched to db $external
      > db.auth({mechanism: 'MONGODB-X509'})
      1

      A username should be required for a number of reasons:

      1. It's a sanity check that the user is using the correct x.509 cert.
      2. Not requiring the username is inconsistent with all other authentication methods, including GSSAPI which also doesn't technically require a username.
      3. Not requiring the username will be inconsistent with drivers that have no good way to decode the cert and derive the username.

      Attachments

        Issue Links

          Activity

            People

              andreas.nilsson Andreas Nilsson
              bernie@mongodb.com Bernie Hackett
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: