Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Done
Priority: Major - P3
Fix Version/s: None
Affects Version/s: 2.7.2, 2.7.3, 2.7.4
Component/s: Security
Labels:
None

Operating System:
ALL
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

The basic SCRAM-SHA-1 support added in 2.7.2 seems to be broken. A SASL conversation can be completed following RFC 5802 (the v field value returned from the server matches the server signature calculated on the client), but the server returns

{done: false}

and any subsequent operations fail authorization.

Example user:

> db.system.users.findOne()
{
	"_id" : "admin.admin",
	"user" : "admin",
	"db" : "admin",
	"credentials" : {
		"SCRAM-SHA-1" : {
			"iterationCount" : 10000,
			"salt" : "3L2ChDOtpFE3t7dbOwAPdQ==",
			"storedKey" : "wnUNZ+Wl/B+k1+RBNfb4hihgapo=",
			"serverKey" : "3Q5qYn40wXktIB2M3SkK+czdXNg="
		},
		"MONGODB-CR" : "e4e538f5dcb52537cad02bbf8491693c"
	},
	"roles" : [
		{
			"role" : "root",
			"db" : "admin"
		}
	]
}
>

Example authentication attempt with debug output:

>>> c.admin.authenticate('admin', 'pass', mechanism='SCRAM-SHA-1')

C: SON([('saslStart', 1), ('mechanism', 'SCRAM-SHA-1'), ('payload', Binary(b'n,,n=admin,r=NzcyOTU5MDIwNDAyNTc3NA==', 0)), ('autoAuthorize', 1)])
S: {'done': False, 'payload': b'r=NzcyOTU5MDIwNDAyNTc3NA==YIFOULW05uMS80e5sLcUAbWVhJZtAZ5E,s=3L2ChDOtpFE3t7dbOwAPdQ==,i=10000', 'conversationId': 1, 'ok': 1.0}

server provided salt: b'3L2ChDOtpFE3t7dbOwAPdQ=='
client generated storedKey: b'wnUNZ+Wl/B+k1+RBNfb4hihgapo='
client generated serverKey: b'3Q5qYn40wXktIB2M3SkK+czdXNg='
client generated v: b'ss94QBaOXP1cQGYhgjuyDDMipO8='

C: SON([('saslContinue', 1), ('conversationId', 1), ('payload', Binary(b'c=biws,r=NzcyOTU5MDIwNDAyNTc3NA==YIFOULW05uMS80e5sLcUAbWVhJZtAZ5E,p=yyZMbWaB2Yo7HBqFlr+9I6N+ho0=', 0))])
S: {'done': False, 'payload': b'v=ss94QBaOXP1cQGYhgjuyDDMipO8=', 'conversationId': 1, 'ok': 1.0}

Server binaries were built with the enterprise modules. Mongod started like so:

mongod --dbpath ~/data/db --auth --setParameter authenticationMechanisms=SCRAM-SHA-1,MONGODB-CR

is depended on by

SERVER-7596 Support SCRAM-SHA-1 SASL Mechanism

Closed

DRIVERS-166 Implement the SCRAM-SHA-1 SASL Mechanism

Closed

Assignee:: Andreas Nilsson (Inactive)
Reporter:: Bernie Hackett
Participants:: Andreas Nilsson, Bernie Hackett, Hannes Magnusson
Votes:: 0 Vote for this issue
Watchers:: 8 Start watching this issue

Created:: Aug 07 2014 11:31:29 PM UTC
Updated:: Dec 10 2014 11:11:52 PM UTC
Resolved:: Aug 18 2014 09:07:13 PM UTC

Details

Description

Attachments

Issue Links

Activity

People

Dates