Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-10322

The mongo shell should require a username when using MONGODB-X509 for authentication.

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Minor - P4 Minor - P4
    • 2.5.2
    • 2.5.1
    • Security, Shell
    • ALL

    Description

      In the 2.5.1 shell a username is not required to do X509 auth:

      $ ./mongo --ssl --sslPEMKeyFile jstests/libs/client.pem 
      MongoDB shell version: 2.5.1
      connecting to: test
      > use $external
      switched to db $external
      > db.auth({mechanism: 'MONGODB-X509'})
      1

      A username should be required for a number of reasons:

      1. It's a sanity check that the user is using the correct x.509 cert.
      2. Not requiring the username is inconsistent with all other authentication methods, including GSSAPI which also doesn't technically require a username.
      3. Not requiring the username will be inconsistent with drivers that have no good way to decode the cert and derive the username.

      Attachments

        Activity

          People

            andreas.nilsson Andreas Nilsson
            bernie@mongodb.com Bernie Hackett
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: